Re: [squid-users] [PATCH] Raw URL path ACL

From: Steve Hill <steve@dont-contact.us>
Date: Mon, 21 Jun 2004 12:46:31 +0100 (BST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 21 Jun 2004, Muthukumar wrote:

> > It works in exactly the same way as "urlpath_regex"
> > except no unescaping of the URI is done first, which makes it possible to
> > filter specific attacks that escape some characters in the URI without
> > blocking legitimate requests.
>
> If you use the uri_whitespace option with strip mode,it will be like that.
>
> > I.e. you can filter URIs containing "%2easp" (the signature of some
> > attacks) without blocking legitimate requests for ".asp"
>
> We can use allow or encode mode there.

As I understand it (from reading the documentation in the example config),
uri_whitespace only affects whitespace characters, have I misunderstood?
I am talking about normal printable characters. i.e. the character "A"
can be sent through a URI as either "P" or "%50". When filtering them
using url_regex they will both match a regex containing "P". This is
valid behaviour since the web server will usually unescape the path so
your filter which blocks "PORN" still wants to catch it if someone tries
to bypass it be requesting "%50ORN". However, in some situations (such as
where URIs containing these escaped printable characters are a signature
of a type of attack) you will want to be able to differentiate between the
2.

In any case, uri_whitespace is a global option and would affect
everything, whereas urlpath_regex and urlpath_raw_regex can be mixed.

(did that make sense or have I misunderstood? :)

- - Steve Hill
Senior Software Developer Email: steve@navaho.co.uk
Navaho Technologies Ltd. Tel: +44-870-7034015

        ... Alcohol and calculus don't mix - Don't drink and derive! ...

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Public key available at http://linux.navaho.co.uk/pubkey.steve.txt

iD8DBQFA1sqZb26jEkrydY4RAvPMAJ9husO9qyYNH+QTn9CkwwKjBcQ6VgCfbzAC
ZsGWD0/16YscjNt0r22//I4=
=QtF/
-----END PGP SIGNATURE-----
Received on Mon Jun 21 2004 - 05:46:52 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Jul 01 2004 - 12:00:03 MDT