httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jakub Nieznalski <j.nieznal...@autohaus24.de>
Subject Re: [users@httpd] response with 400 when URI params are malformed
Date Fri, 08 Feb 2013 09:33:38 GMT
Hi,

Thanks for the reply.
It looks that Apache is handling the malformed params properly, but
not with phusion passenger module.
I've already created an issue on PP project.
If this will not get resolved I will create a simple rule with mod_taint

Best regards

Jakub Nieznalski

2013/2/5 Nick Kew <nick@webthing.com>:
>
> On 5 Feb 2013, at 14:29, Jakub Nieznalski wrote:
>
>> Hi,
>>
>> I've got problem that Apache accepts malformed URI, for example localhost/?foo=bar%
The percent sign makes that request unvalid, but Apache will accept that. Nginx, or Unicorn
will respond with 400.
>
> That's a request for URL / , with parameters foo=bar%
>
> I'd guess nothing in your server is looking at the parameters.
> If it's a static page and there's no complex configuration that
> might be affected by parameters, why should the server waste
> its time?
>
> Note that if you request /foo=bar% you will indeed get a 400.
>
>> How can I achieve the same result? Is there any mod or rule that will tell apache
to return 400 for invalid request?
>
> If you want to protect some vulnerable application, a WAF.
> For a simpler solution to just the question, mod_taint.
>
> --
> Nick Kew
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message