Skip Menu |
 

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI CPAN distribution.

Report information
The Basics
Id: 66760
Status: resolved
Priority: 0/
Queue: CGI

People
Owner: Nobody in particular
Requestors: jmfernandez [...] cnio.es
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in:
  • 3.49
  • 3.50
  • 3.51
  • 3.52
Fixed in: (no value)



Subject: Bug in virtual_host method in some corner cases
Download (untitled) / with headers
text/plain 1.1k
We have found in one of our deployments a corner case where 'virtual_host' method returns a list of hosts separated by commas. A sample of the return, which is not a real one: publicname.ahost.thedomain, notsopublicname.ahost.thedomain We have inspected code from CGI-3.49 to CGI-3.52, but we suspect the bug is present since the creation of 'virtual_host' method. We have tested with Perl 5.8.8 in Mac OS X 10.5 PPC and with Perl 5.12.2 in Gentoo Linux x86_64. 'virtual_host' method returns the information from X-Forwarded-Host header. In configurations where you have a public HTTP virtual host which is proxying HTTP servers behind a NAT, and one of those HTTP servers is also a virtual host, you can get from X-Forwarded-Host header a list of hostnames separated by commas. We think the scenario can be reproduced with a couple of Apache servers in different machines, both of them configured for virtual hosting, and one of them proxying the another one. The easy way to fix this corner case bug would be adding next line just after first assignment of '$vh' variable: $vh =~ s/^([^,]+),.*/$1/; which discards the additional hostnames (the first one should be the right one).
CC: jmfernandez [...] cnio.es
Subject: Re: [rt.cpan.org #66760] Bug in virtual_host method in some corner cases
Date: Tue, 22 Mar 2011 09:56:13 -0400
To: bug-CGI [...] rt.cpan.org
From: Mark Stosberg <mark [...] summersault.com>
Download (untitled) / with headers
text/plain 384b
Show quoted text
> The easy way to fix this corner case bug would be adding next line just > after first assignment of '$vh' variable: > > $vh =~ s/^([^,]+),.*/$1/; > > which discards the additional hostnames (the first one should be the > right one).
Thanks for the report and the suggested fix. Can you refer to any specs which state what the correct behavior should be in this case? Mark
From: José María Fernández
Download (untitled) / with headers
text/plain 438b
On Tue Mar 22 09:56:21 2011, mark@summersault.com wrote: Show quoted text
> > Thanks for the report and the suggested fix. Can you refer to any specs > which state what the correct behavior should be in this case? > > Mark >
Hi Mark, I have just been looking for the documentation, and I have found this: http://httpd.apache.org/docs/current/mod/mod_proxy.html#x-headers where there is a paragraph explicitly warning about this behavior
Subject: Re: [rt.cpan.org #66760] Bug in virtual_host method in some corner cases
Date: Tue, 22 Mar 2011 11:13:13 -0400
To: bug-CGI [...] rt.cpan.org
From: Mark Stosberg <mark [...] summersault.com>
Download (untitled) / with headers
text/plain 286b
Show quoted text
> I have just been looking for the documentation, and I have found > this: > > http://httpd.apache.org/docs/current/mod/mod_proxy.html#x-headers > > where there is a paragraph explicitly warning about this behavior
Thanks for the research! We'll look into further. Mark
Download (untitled) / with headers
text/plain 758b
On Tue Mar 22 10:20:23 2011, http://jmfernandez.myid.net/ wrote: Show quoted text
> On Tue Mar 22 09:56:21 2011, mark@summersault.com wrote:
> > > > Thanks for the report and the suggested fix. Can you refer to any
specs Show quoted text
> > which state what the correct behavior should be in this case? > > > > Mark > >
> > Hi Mark, > I have just been looking for the documentation, and I have
found Show quoted text
> this: > > http://httpd.apache.org/docs/current/mod/mod_proxy.html#x-headers > > where there is a paragraph explicitly warning about this behavior
This is a very interesting bug and I'm surprised it has not been noticed before. Are there any cases in which a comma might be embedded in the hostname itself? Otherwise I don't see any problems with your proposed fix.
From: José María Fernández
Download (untitled) / with headers
text/plain 712b
On Tue Mar 22 12:17:28 2011, LDS wrote: Show quoted text
> > This is a very interesting bug and I'm surprised it has not been noticed > before. Are there any cases in which a comma might be embedded in the > hostname itself? Otherwise I don't see any problems with your proposed > fix.
Well, I have just found next RFC: http://tools.ietf.org/html/rfc3696#page-3 Reading it I have realized that although each piece (or label) from a qualified hostname shouldn't contain something different to letters, digits or hyphens, it is not enforced as "Any characters, or combination of bits (as octets), are permitted in DNS names". Perhaps a safer fix could be next one, with an space after the comma: $vh =~ s/^([^,]+), .*/$1/;
Download (untitled) / with headers
text/plain 976b
On Tue Mar 22 12:47:33 2011, http://jmfernandez.myid.net/ wrote: Show quoted text
> On Tue Mar 22 12:17:28 2011, LDS wrote:
> > > > This is a very interesting bug and I'm surprised it has not been
noticed Show quoted text
> > before. Are there any cases in which a comma might be embedded in
the Show quoted text
> > hostname itself? Otherwise I don't see any problems with your
proposed Show quoted text
> > fix.
> > Well, I have just found next RFC: > > http://tools.ietf.org/html/rfc3696#page-3 > > Reading it I have realized that although each piece (or label) from a > qualified hostname shouldn't contain something different to letters, > digits or hyphens, it is not enforced as "Any characters, or
combination Show quoted text
> of bits (as octets), are permitted in DNS names". > > Perhaps a safer fix could be next one, with an space after the comma: > > $vh =~ s/^([^,]+), .*/$1/;
Thanks for the continued effort on this. Could you check what a couple other Perl frameworks are doing to address this issue, for comparative reference?
Subject: Out of Office AutoReply: [rt.cpan.org #66760] Bug in virtual_host method in some corner cases
Date: Sun, 4 Nov 2012 02:43:36 +0100
To: "MARKSTOS via RT" <bug-CGI [...] rt.cpan.org>
From: "Fernandez.Jose_Maria" <jmfernandez [...] cnio.es>
Download (untitled) / with headers
text/plain 903b
I'm out until November 11th with very limited connectivity. Sorry for the inconvenience **NOTA DE CONFIDENCIALIDAD** Este correo electr�nico, y en su caso los ficheros adjuntos, pueden contener informaci�n protegida para el uso exclusivo de su destinatario. Se proh�be la distribuci�n, reproducci�n o cualquier otro tipo de transmisi�n por parte de otra persona que no sea el destinatario. Si usted recibe por error este correo, se ruega comunicarlo al remitente y borrar el mensaje recibido. **CONFIDENTIALITY NOTICE** This email communication and any attachments may contain confidential and privileged information for the sole use of the designated recipient named above. Distribution, reproduction or any other use of this transmission by any party other than the intended recipient is prohibited. If you are not the intended recipient please contact the sender and delete all copies.
Download (untitled) / with headers
text/plain 240b
This issue has been copied to: https://github.com/leejo/CGI.pm/issues/83 please take all future correspondence there. This ticket will remain open but please do not reply here. This ticket will be closed when the github issue is dealt with.
Download (untitled) / with headers
text/plain 145b
Closing as a duplicate of #70, which was resolved by 786165e. N.B. We take the last value from the list, as this is what other web frameworks do.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.