rewriting post parameters
am 04.10.2002 11:12:49 von Maurizio Marini
Hi there,
we have following problem:
we are using mod_proxy and mod_rewrite in standard reverse proxy architecture; after reversing, we use mod_rewrite to change get parameters;
we are not able to change post ("hidden") parameters, instead.
To be more precise, we are able to modify post parameters in http, but if we switch to https, we noted many things change and the code we used
to change post parameters in http, doesn't work anymore.
Help!
somane cah help me to understand:
1] this is is feasible
2] in which directions should i work? some guidelines to start to write code, in a few words
thnx in advance for appreciated help!
byez
--
Maurizio Marini
Re: rewriting post parameters
am 04.10.2002 12:26:27 von i.t
> we have following problem:
> we are using mod_proxy and mod_rewrite in standard reverse proxy
> architecture; after reversing, we use mod_rewrite to change get parameters;
> we are not able to change post ("hidden") parameters, instead.
> To be more precise, we are able to modify post parameters in http, but if
> we switch to https, we noted many things change and the code we used to
> change post parameters in http, doesn't work anymore.
> Help!
> somane cah help me to understand:
> 1] this is is feasible
> 2] in which directions should i work? some guidelines to start to write
> code, in a few words thnx in advance for appreciated help!
it would be helpful, if you could provide some more actual details
- Apache version
- relevant part of httpd.conf
- a sketch of the httpd flow
- a flow shot with tcpflow or at least something like
wget --server-response --spider http://relevant.domain.com/
or
curl -I http://relevant.domain.com/
i.t
--
. ___
| | Irmund Thum
| |
Re: rewriting post parameters
am 04.10.2002 14:00:24 von Maurizio Marini
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Friday 04 October 2002 12:26 pm, i.t wrote:
>it would be helpful, if you could provide some more actual details
=20
Hi sir,
I'm developing in redhat 7.3 httpd 1.3.23-14; it's a very complex infrast=
ructure with mod_pubcookie, mod_proxy and mod_rewrite
it's noteasy to describe it; it's easier for me show you the piece of cod=
e that in http allowed me to change parameter in post stuff, but not in=
https
int change_out_post(request_rec *r, char *username) {
char argsbuffer[HUGE_STRING_LEN];
int retval;
/* checkout http_protocols.c for reading the body info */
if ((retval =3D ap_setup_client_block(r, REQUEST_CHUNKED_ERROR)))
return retval;
if (ap_should_client_block(r)) {
=09char *p=3Dr->connection->client->inptr;
int len_read;
ap_hard_timeout("copy script args", r);
;
if ((p=3Dstrstr(r->connection->client->inptr, "username")) !=3D NUL=
L) {
=09memcpy( p+strlen("username=3D"), foo, 10);
=09p=3Dr->connection->client->inptr;
}
libpbc_debug("change_out_post[%d]: inptr: %s\n", __LINE__, p);
ap_kill_timeout(r);
}
return(1);
}
i try to explain it:
Premise.
suppose that u want authenticate a user and after authentication u want t=
o add the username to hidden parameter
beacause application on backend (we are in rev-proxy architecture) needs =
it as post parameters.
The misfact.
before autheticating using mod_pubcookie i add some hidden parameter init=
ialized to null
e.g. 'username=3D =
'
u can see sufficient blanks after username=3D, to accomodate for username=
value
it's a low tricky, don't blame to me!
after authetication i try to valorize username...how?!?
with strstr i search the parameter name in post area pointed (if we are i=
n http!!!) by r->connection->client->inptr
i add 9 bytes to this pointer (strlen("username=3D"))
i write the username in place of blanks
done!
this horrible trick worked until i pass to https...
Conclusion.
i fear that it's not portable (sure it doesn't work in apache 2.0!) and a=
fter apache=20
rewriting for chunked exploit all my stuff is outdated, even i've not tes=
ted it;
i write this piece of code the days before 21 June!!!
My prayer.
now, i know well that this piece of sw cannot be a solution and i serachi=
ng for some help to do something more robust and reliable.
thnx in advance!
- --=20
Maurizio Marini
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9nYLY4Q/49nIJTlwRAvyGAJ477retyJiKljXEpbDK6/R1C0js7gCf Y9o1
cBcLKP/t/J0NITERpWOnl6I=3D
=3D2GFV
-----END PGP SIGNATURE-----