On Fri, Nov 7, 2008 at 3:12 AM, Vlad Seryakov
<ser...@us...> wrote:
> + # If address set to 0.0.0.0 in nssock to listen on
> + # all interfaces we may try to use Host: header to
> + # return proper urls
> + #
> +
> + if { $loc == "http://0.0.0.0" } {
> + set host [ns_set iget [ns_conn headers] Host]
> + if { $host != "" } {
> + set loc http://$host
> + }
> + }
You can't take unfiltered input from the host header and then feed it
back to ns_returnredirect as this vulnerable to a response splitting
attack.
http://www.google.co.uk/search?q=response+splitting
It seems like this may be a more general kind of bug. After all, it's
not just in directory listings that 0.0.0.0 is an invalid host
address. Take a look at conn.c:Ns_ConnLocationAppend() -- looks like
this is where the fix needs to go.
This is a tricky are so add some extra tests in tests/ns_conn_host.test
|
