Bug#748065: RequestHeader must not contain underscores + further problems

Andreas B. Mundt andi at debian.org
Wed Jun 18 12:50:09 UTC 2014 

Hi,

this issue is related to several problems.  The first one is simple.
A place to start studying the issue is:
    <URL:https://httpd.apache.org/docs/trunk/new_features_2_4.html>
        "Translation of headers to environment variables is more strict
        than before to mitigate some possible cross-site-scripting
        attacks via header injection. Headers containing invalid
        characters (including underscores) are now silently
        dropped."
    <URL:https://stackoverflow.com/questions/18185366/header-names-with-underscores-ignored-in-php-5-5-1-apache-2-4-6>.

A patch is attached, problems with upgrades are to be expected.

After having fixed the above problem, things still do not work.  I
tried to figure out why and found that the password is decrypted
correctly, but as the working password is of type string(8), the
decrypted is of type string(16).  This can be checked with the
following debug patch ("l1Nh8OxB" was the correct password):

diff -ru gosa_orig/include/functions.inc gosa/include/functions.inc
--- gosa_orig/include/functions.inc     2014-06-18 09:19:57.277339000+0200
+++ gosa/include/functions.inc  2014-06-18 14:31:19.827537710 +0200
@@ -469,7 +469,16 @@
 function ldap_init ($server, $base, $binddn='', $pass='')
 {
   global $config;
+  print_r($pass." is a ");
+  var_dump($pass);
+  print_r("(which does not work)<br />l1Nh8OxB is a ");
+  var_dump("l1Nh8OxB");

+  if($pass != "l1Nh8OxB"){
+    print_r("l1Nh8OxB<br />");
+    $pass= "l1Nh8OxB";
+  }
+
   $ldap = new LDAP ($binddn, $pass, $server,
       isset($config->current['LDAPFOLLOWREFERRALS']) &&
       $config->current['LDAPFOLLOWREFERRALS'] == "true",
       isset($config->current['LDAPTLS']) &&
       $config->current['LDAPTLS'] == "true");


So there seems to be some encoding problem.  I tried to fix that, but
someone with more knowledge about php and encodings should have a
look.

Best regards,

     Andi


-------------- next part --------------
A non-text attachment was scrubbed...
Name: RequestHeader.patch
Type: text/x-diff
Size: 1970 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/debian-edu-pkg-team/attachments/20140618/ad59492f/attachment.patch>

More information about the Debian-edu-pkg-team mailing list