Bug #66760 for CGI: Bug in virtual_host method in some corner cases

Mon Mar 21 14:41:54 2011 http://jmfernandez.myid.net/ - Ticket created

Subject:

Bug in virtual_host method in some corner cases

We have found in one of our deployments a corner case where 'virtual_host' method returns a list of hosts separated by commas. A sample of the return, which is not a real one: publicname.ahost.thedomain, notsopublicname.ahost.thedomain We have inspected code from CGI-3.49 to CGI-3.52, but we suspect the bug is present since the creation of 'virtual_host' method. We have tested with Perl 5.8.8 in Mac OS X 10.5 PPC and with Perl 5.12.2 in Gentoo Linux x86_64. 'virtual_host' method returns the information from X-Forwarded-Host header. In configurations where you have a public HTTP virtual host which is proxying HTTP servers behind a NAT, and one of those HTTP servers is also a virtual host, you can get from X-Forwarded-Host header a list of hostnames separated by commas. We think the scenario can be reproduced with a couple of Apache servers in different machines, both of them configured for virtual hosting, and one of them proxying the another one. The easy way to fix this corner case bug would be adding next line just after first assignment of '$vh' variable: $vh =~ s/^([^,]+),.*/$1/; which discards the additional hostnames (the first one should be the right one).

Tue Mar 22 09:56:21 2011 mark [...] summersault.com - Correspondence added

CC:	jmfernandez [...] cnio.es
Subject:	Re: [rt.cpan.org #66760] Bug in virtual_host method in some corner cases
Date:	Tue, 22 Mar 2011 09:56:13 -0400
To:	bug-CGI [...] rt.cpan.org
From:	Mark Stosberg <mark [...] summersault.com>

Show quoted text

> The easy way to fix this corner case bug would be adding next line just > after first assignment of '$vh' variable: > > $vh =~ s/^([^,]+),.*/$1/; > > which discards the additional hostnames (the first one should be the > right one).

Thanks for the report and the suggested fix. Can you refer to any specs which state what the correct behavior should be in this case? Mark

Tue Mar 22 09:56:22 2011 The RT System itself - Status changed from 'new' to 'open'

Tue Mar 22 10:20:23 2011 http://jmfernandez.myid.net/ - Correspondence added

From:

José María Fernández

On Tue Mar 22 09:56:21 2011, mark@summersault.com wrote: Show quoted text

> > Thanks for the report and the suggested fix. Can you refer to any specs > which state what the correct behavior should be in this case? > > Mark >

Hi Mark, I have just been looking for the documentation, and I have found this: http://httpd.apache.org/docs/current/mod/mod_proxy.html#x-headers where there is a paragraph explicitly warning about this behavior

Tue Mar 22 11:13:27 2011 mark [...] summersault.com - Correspondence added

Subject:	Re: [rt.cpan.org #66760] Bug in virtual_host method in some corner cases
Date:	Tue, 22 Mar 2011 11:13:13 -0400
To:	bug-CGI [...] rt.cpan.org
From:	Mark Stosberg <mark [...] summersault.com>

Show quoted text

> I have just been looking for the documentation, and I have found > this: > > http://httpd.apache.org/docs/current/mod/mod_proxy.html#x-headers > > where there is a paragraph explicitly warning about this behavior

Thanks for the research! We'll look into further. Mark

Tue Mar 22 12:17:28 2011 LDS [...] cpan.org - Correspondence added

On Tue Mar 22 10:20:23 2011, http://jmfernandez.myid.net/ wrote: Show quoted text

> On Tue Mar 22 09:56:21 2011, mark@summersault.com wrote:

> > > > Thanks for the report and the suggested fix. Can you refer to any

specs Show quoted text

> > which state what the correct behavior should be in this case? > > > > Mark > >

> > Hi Mark, > I have just been looking for the documentation, and I have

found Show quoted text

> this: > > http://httpd.apache.org/docs/current/mod/mod_proxy.html#x-headers > > where there is a paragraph explicitly warning about this behavior

This is a very interesting bug and I'm surprised it has not been noticed before. Are there any cases in which a comma might be embedded in the hostname itself? Otherwise I don't see any problems with your proposed fix.

Tue Mar 22 12:47:33 2011 http://jmfernandez.myid.net/ - Correspondence added

From:

José María Fernández

On Tue Mar 22 12:17:28 2011, LDS wrote: Show quoted text

> > This is a very interesting bug and I'm surprised it has not been noticed > before. Are there any cases in which a comma might be embedded in the > hostname itself? Otherwise I don't see any problems with your proposed > fix.

Well, I have just found next RFC: http://tools.ietf.org/html/rfc3696#page-3 Reading it I have realized that although each piece (or label) from a qualified hostname shouldn't contain something different to letters, digits or hyphens, it is not enforced as "Any characters, or combination of bits (as octets), are permitted in DNS names". Perhaps a safer fix could be next one, with an space after the comma: $vh =~ s/^([^,]+), .*/$1/;

Sat Nov 03 21:43:27 2012 MARKSTOS [...] cpan.org - Correspondence added

On Tue Mar 22 12:47:33 2011, http://jmfernandez.myid.net/ wrote: Show quoted text

> On Tue Mar 22 12:17:28 2011, LDS wrote:

> > > > This is a very interesting bug and I'm surprised it has not been

noticed Show quoted text

> > before. Are there any cases in which a comma might be embedded in

the Show quoted text

> > hostname itself? Otherwise I don't see any problems with your

proposed Show quoted text

> > fix.

> > Well, I have just found next RFC: > > http://tools.ietf.org/html/rfc3696#page-3 > > Reading it I have realized that although each piece (or label) from a > qualified hostname shouldn't contain something different to letters, > digits or hyphens, it is not enforced as "Any characters, or

combination Show quoted text

> of bits (as octets), are permitted in DNS names". > > Perhaps a safer fix could be next one, with an space after the comma: > > $vh =~ s/^([^,]+), .*/$1/;

Thanks for the continued effort on this. Could you check what a couple other Perl frameworks are doing to address this issue, for comparative reference?

Sat Nov 03 21:43:52 2012 jmfernandez [...] cnio.es - Correspondence added

Subject:	Out of Office AutoReply: [rt.cpan.org #66760] Bug in virtual_host method in some corner cases
Date:	Sun, 4 Nov 2012 02:43:36 +0100
To:	"MARKSTOS via RT" <bug-CGI [...] rt.cpan.org>
From:	"Fernandez.Jose_Maria" <jmfernandez [...] cnio.es>

I'm out until November 11th with very limited connectivity. Sorry for the inconvenience **NOTA DE CONFIDENCIALIDAD** Este correo electr�nico, y en su caso los ficheros adjuntos, pueden contener informaci�n protegida para el uso exclusivo de su destinatario. Se proh�be la distribuci�n, reproducci�n o cualquier otro tipo de transmisi�n por parte de otra persona que no sea el destinatario. Si usted recibe por error este correo, se ruega comunicarlo al remitente y borrar el mensaje recibido. **CONFIDENTIALITY NOTICE** This email communication and any attachments may contain confidential and privileged information for the sole use of the designated recipient named above. Distribution, reproduction or any other use of this transmission by any party other than the intended recipient is prohibited. If you are not the intended recipient please contact the sender and delete all copies.

Thu May 22 08:10:25 2014 LEEJO [...] cpan.org - Correspondence added

This issue has been copied to: https://github.com/leejo/CGI.pm/issues/83 please take all future correspondence there. This ticket will remain open but please do not reply here. This ticket will be closed when the github issue is dealt with.

Fri Jul 11 09:14:20 2014 LEEJO [...] cpan.org - Correspondence added

Closing as a duplicate of #70, which was resolved by 786165e. N.B. We take the last value from the list, as this is what other web frameworks do.

Fri Jul 11 09:14:23 2014 LEEJO [...] cpan.org - Status changed from 'open' to 'resolved'

Bug #66760 for CGI: Bug in virtual_host method in some corner cases

Preferred bug tracker