Is it safe to use the 'UnsafeAllow3F' flag?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

Few days ago the 'UnsafeAllow3F' flag was introduced:
https://httpd.apache.org/security/vulnerabilities_24.html

After the update, we have started to have a lot of 403 due to the
encoded '?' in the urls passed as query parameters. To fix the problem
we have started to stop encoding the '?' in the application code, but
there parts in our application where this is very difficult to do, for
example using third part libraries because the encoding happens
internally. So we are evaluating to add the flag 'UnsafeAllow3F' to
our rewirte rule, but due to the name of the flag and the
documentation it's not clear if using the flag is safe or not:

> Setting this flag is required to allow a rewrite to continue If the HTTP request being written has an encoded question mark, '%3f', and the rewritten result has a '?' in the substiution. This protects from a malicious URL taking advantage of a capture and re-substitution of the encoded question mark.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux