Project

General

Profile

Actions

Bug #504

closed

path normalization won't happen if uri is double encoded.

Added by Anoop Saldanha over 12 years ago. Updated over 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

If you have a double encoded path and it manages to double decode the path correctly, the path normalization on the double decoded path doesn't happen.

Actions #1

Updated by Anoop Saldanha over 12 years ago

  • Target version set to 1.3.1
Actions #2

Updated by Victor Julien over 12 years ago

  • Status changed from New to Assigned
  • Assignee set to Anoop Saldanha
  • Estimated time set to 4.00 h

Please add unittests as well.

Actions #3

Updated by Anoop Saldanha over 12 years ago

1. I think the patch written previously to double decode irrespective of profile though right code-wise, may not right wrt behaviour-wise. The feature to double-decode should be profile specific. If a specific server profile requires it, it will double decode or else not.

On the other hand we should make make all libhtp configurable options available in the conf for users to customize, this includes the option to double-decode.

2. The feature/code to double-decode double-encoded characters should be updated to libhtp upstream, rather than have it in suricata's callback. This lets libhtp handle it based on the config(cfg)/profile settings.

Actions #4

Updated by Peter Manev over 12 years ago

I agree with Anoop - makes sense.

Actions #5

Updated by Victor Julien over 12 years ago

Are we aware of any HTTP server that does double(+) decoding by default?

If not, I'm thinking we should modify the callback to detect double decoding and set a warning. Then for 1.4 we can modify libhtp to support per cfg double decoding.

Actions #6

Updated by Victor Julien over 12 years ago

  • Assignee changed from Anoop Saldanha to Victor Julien
Actions #7

Updated by Victor Julien over 12 years ago

  • Status changed from Assigned to Closed

Double decoding is now optional (see #464). After the 2nd decoding round the proper libhtp normalization calls are made as well.

Actions

Also available in: Atom PDF