Review: IIS7 plugin Spoofheaders needs work

Description

This was derived from a mix of the Apache code and the ISAPI code. Make it look like the ISAPI code.

This is a brain melting concept since it is looking for a negative.

Since it is security-important, once I have made the change I'll pass on to Scott to review

Environment

None

Activity

Scott Cantor May 23, 2018 at 9:49 PM

There were indeed several issues here, one being that this code inherited a hack that the old API required but the new one doesn't, which is the appending of a colon to a header when you set it. That was causing a bunch of weird results but it looks normal now.

The spoof checking and clearing was not correct. The clearing wasn't happening at all, and that's not dependent on the spoof checking option at all, it's just something the code does as an extra defense against header injection. That's now happening.

The other bug is that the ALL_HTTP access was to a header and not a server variable, which was preventing it from working, and that's fixed and tested.

Rod Widdowson July 1, 2017 at 3:15 PM

Work done and pushed as 187d9c1

I have not reached the zen-trance-level to fully understand the multiple-not-statements involved here (which is work in clearheader path only?), so I'll assign to Scott to review.

Fixed

Details

Assignee

Reporter

Original estimate

Components

Fix versions

Created June 20, 2017 at 9:34 AM
Updated July 17, 2018 at 2:48 PM
Resolved May 23, 2018 at 9:51 PM