Bug #504
closedpath normalization won't happen if uri is double encoded.
Description
If you have a double encoded path and it manages to double decode the path correctly, the path normalization on the double decoded path doesn't happen.
Updated by Victor Julien over 11 years ago
- Status changed from New to Assigned
- Assignee set to Anoop Saldanha
- Estimated time set to 4.00 h
Please add unittests as well.
Updated by Anoop Saldanha over 11 years ago
1. I think the patch written previously to double decode irrespective of profile though right code-wise, may not right wrt behaviour-wise. The feature to double-decode should be profile specific. If a specific server profile requires it, it will double decode or else not.
On the other hand we should make make all libhtp configurable options available in the conf for users to customize, this includes the option to double-decode.2. The feature/code to double-decode double-encoded characters should be updated to libhtp upstream, rather than have it in suricata's callback. This lets libhtp handle it based on the config(cfg)/profile settings.
Updated by Victor Julien over 11 years ago
Are we aware of any HTTP server that does double(+) decoding by default?
If not, I'm thinking we should modify the callback to detect double decoding and set a warning. Then for 1.4 we can modify libhtp to support per cfg double decoding.
Updated by Victor Julien over 11 years ago
- Assignee changed from Anoop Saldanha to Victor Julien
Updated by Victor Julien over 11 years ago
- Status changed from Assigned to Closed
Double decoding is now optional (see #464). After the 2nd decoding round the proper libhtp normalization calls are made as well.