IETF Logo Mail Archive

Re: [apps-discuss] Discussion Place for CGI/1.1

Mark Nottingham <mnot@mnot.net> Mon, 05 December 2011 03:50 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DA461F0C36 for <apps-discuss@ietfa.amsl.com>; Sun, 4 Dec 2011 19:50:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.127
X-Spam-Level:
X-Spam-Status: No, score=-105.127 tagged_above=-999 required=5 tests=[AWL=-2.528, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 59lXRVu2OU58 for <apps-discuss@ietfa.amsl.com>; Sun, 4 Dec 2011 19:50:46 -0800 (PST)
Received: from mxout-08.mxes.net (mxout-08.mxes.net [216.86.168.183]) by ietfa.amsl.com (Postfix) with ESMTP id 285311F0C34 for <apps-discuss@ietf.org>; Sun, 4 Dec 2011 19:50:45 -0800 (PST)
Received: from mnot-mini.mnot.net (unknown [118.209.121.109]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id C9BC1509DB; Sun, 4 Dec 2011 22:50:38 -0500 (EST)
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset="us-ascii"
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <4EDC3AC0.70803@aist.go.jp>
Date: Mon, 05 Dec 2011 14:50:35 +1100
Content-Transfer-Encoding: quoted-printable
Message-Id: <250E9E00-D444-42ED-823C-AA2C36C915E4@mnot.net>
References: <4EDC3AC0.70803@aist.go.jp>
To: Yutaka OIWA <yutaka@oiwa.jp>
X-Mailer: Apple Mail (2.1251.1)
Cc: 'HTTP Working Group' <ietf-http-wg@w3.org>, apps-discuss@ietf.org
Subject: Re: [apps-discuss] Discussion Place for CGI/1.1
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Dec 2011 03:50:47 -0000

I think at a minimum there needs to be an errata against CGI. 

Also worth a look is RFC3050 and Python's PEP-0333, which may have similar vulnerabilities. 

apps-discuss is probably the right starting place. 

HTTPbis already defers to RFC3864 for field-names, and I think that covers your concerns:
  http://tools.ietf.org/html/rfc3864#section-4.1

Cheers,


On 05/12/2011, at 2:30 PM, Yutaka OIWA wrote:

> Dear experts in apps-discuss and httpbis,
> 
> where should we have talks on CGI/1.1 (RFC 3875), do you think?
> 
> # It may propose a small textual addition to httpbis, depending on the
> # result of discussions.
> 
> 
> A long description of topic is:
> 
> I heard of some Japanese discussion on the interfaces and its side-effect
> of HTTP/1.1 and CGI/1.1 (RFC 3875, Informational).  It was a security issue,
> but the problem itself was not a very interesting thing in context of IETF and a
> workaround has been taken, so I'm not in scramble.
> 
> When I heard of that, I read RFC 3875.  It translates the names of HTTP headers
> to environmental variable names (called in a different name in the spec) in the
> following fashion: make it upper-case, replace all hyphens by underscores and
> then prepend with "HTTP_".  The original author of CGI spec seems to be defining
> the rule as translating "proper" HTTP names (e.g. Forwarded-for) into a
> Unix-like good-looking environment variable name (HTTP_FORWARDED_FOR).
> 
> However, HTTP/1.1 allows so many "weired" characters in tokens, and the header
> names are defined as tokens.  So, "X`Y'Z!" is a valid name for an HTTP header.
> Under the current CGI spec, this weired name will result to "HTTP_X`Y'Z!", which
> is the thing many people probably think not acceptable for variable name
> (including common Unix shell meta characters).
> 
> Implementations of CGI/1.1 actually translate all special characters to
> underscore, in this example "HTTP_X_Y_Z_".  Some intermediate gateway
> did not expect this behavior, and the combination of these has caused
> header forging (using X.Y.Z to override existing X-Y-Z header.)
> 
> # For curious people: the intermediate was actually a mobile carrier gateway,
> # and the forged header was for a mobile device identifier number.
> # The gateway removes any occurrence of it and added a proper one.
> # Receivers check the source IP address, and if it is in some predefined
> # range, they trust the content of such a header.
> # Yes, it is really a bad idea, but do not claim its badness on me
> # as I know it and it's not my fault :-)
> ## The gateway was aware of the fact that - and _ will be translated to
> ## indistinguishable ones in CGI interface.
> 
> Strictly following the spec, the web server behavior was against RFC 3875.
> However, given the Unix customs and restrictions (which was obviously
> the base of CGI specification), the actually-implemented behavior is
> more-or-less understandable.  So, what should we do?
> 
> Possible solutions are:
>  1) to explicitly allow the behavior of current implementations by
>     appending rules that non-alnum MAY be translated to underscore.
>     By this way, the responsibility will move to the intermediate
>     in this case (it should filter out all like X.Y.Z, X!Y%Z, etc).
> 
>  2) Appending a text that headers with "weired" characters SHOULD be
>     filtered out completely, instead of masking by underscores.
>     Existing server implementations to be changed accordingly.
>     (Actually, CGI/1.1 already allows some protocol-specific
>      filtering of headers, with examples for Authorization-related ones).
> 
>  3) Do nothing.  Servers should pass weired characters as is, and
>     CGI programmers should take care of that.
>     Again, existing server implementations to be changed accordingly,
>     and CGI programmers must be really careful to handle these weired things.
> 
>  4) Do really nothing: CGI is too old technology (!?) :-)
> 
> The solution 1) or 2) may be result as an errata or an update document.
> If either 1) or 2) is a good thing, we may also want httpbis to add
> a text for future header extensions suggesting that non-alnums except hyphens
> are discouraged for any new header specifications.
> 
> Original source of problem description along with deployed workaround is in
> <http://blog.tokumaru.org/2011/11/kddigw_29.html> in Japanese.
> 
> -- 
> Yutaka OIWA, Ph.D.                                       Research Scientist
>                            Research Center for Information Security (RCIS)
>    National Institute of Advanced Industrial Science and Technology (AIST)
>                      Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
> OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]
> _______________________________________________
> apps-discuss mailing list
> apps-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/apps-discuss

--
Mark Nottingham   http://www.mnot.net/

v2.23.0 | Report a Bug | By Email