gsbLookup does not perform canonicalization and lookups correctly #381
Comments
|
Original reporter: ivanr |
|
bpinto: Ivan, We are doing now the most common lookups (full url and base urls). We will improve it in minor versions of 2.6.x. |
ghost
assigned
|
ivanr: I disagree with your assessment and the change of the type to "Improvement". The current implementation of gsbLookup does not follow the specification and is thus faulty. Even if you accept that only 2 lookups are acceptable, the canonicalization issue still remains. For example, when sent (notice the dot at the end of the hostname): Target value: "http://a....b.c/1/2.html?param=1" The operator will completely miss the attack. |
|
bpinto: For now we are doing the lookups when we see a url a.b.c/a/b/index.html 1 - a.b.c/a/b/index.html We will implement the full transformations soon |
|
bpinto: Added more improvements: 1 - reduce .. to .
|
|
bpinto: Added reduce multiple slashes in a single slash |
|
bpinto: This is what we will have for 2.6.0 Example : a.b.c/1/2.html?param=1 Also :
|
MODSEC-227: The gsbLookup operator does not perform canonicalization correctly. The example from the Safe Browsing manual (http://a.b.c/1/2.html?param=1) results in two lookups:
GSB: Successfully extracted url: a.B.c/1/2.Html?param=1
GSB: Canonicalize url #2: a.B.c/
whereas the manual specifies many more:
a.b.c/1/2.html?param=1
a.b.c/1/2.html
a.b.c/
a.b.c/1/
b.c/1/2.html?param=1
b.c/1/2.html
b.c/
b.c/1/
Also notice that gsbLookup does not currently transform input to lowercase (but it should).
The text was updated successfully, but these errors were encountered: