Bug #504
closed
path normalization won't happen if uri is double encoded.
Added by Anoop Saldanha over 12 years ago.
Updated about 12 years ago.
Description
If you have a double encoded path and it manages to double decode the path correctly, the path normalization on the double decoded path doesn't happen.
- Target version set to 1.3.1
- Status changed from New to Assigned
- Assignee set to Anoop Saldanha
- Estimated time set to 4.00 h
Please add unittests as well.
1. I think the patch written previously to double decode irrespective of profile though right code-wise, may not right wrt behaviour-wise. The feature to double-decode should be profile specific. If a specific server profile requires it, it will double decode or else not.
On the other hand we should make make all libhtp configurable options available in the conf for users to customize, this includes the option to double-decode.
2. The feature/code to double-decode double-encoded characters should be updated to libhtp upstream, rather than have it in suricata's callback. This lets libhtp handle it based on the config(cfg)/profile settings.
I agree with Anoop - makes sense.
Are we aware of any HTTP server that does double(+) decoding by default?
If not, I'm thinking we should modify the callback to detect double decoding and set a warning. Then for 1.4 we can modify libhtp to support per cfg double decoding.
- Assignee changed from Anoop Saldanha to Victor Julien
- Status changed from Assigned to Closed
Double decoding is now optional (see #464). After the 2nd decoding round the proper libhtp normalization calls are made as well.
Also available in: Atom
PDF