httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 38923] New: - mod_speling incorrectly escapes linked URLs
Date Fri, 10 Mar 2006 19:58:26 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38923>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38923

           Summary: mod_speling incorrectly escapes linked URLs
           Product: Apache httpd-2
           Version: 2.2.0
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: minor
          Priority: P2
         Component: mod_speling
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: rmg@terc.edu


Given a misspelled request with more than one likely correct spelling,
mod_speling returns a list of variant spellings to the client. When it does, it
may produce incorrect and/or broken links due to incorrect escaping of its
output. For example:

[build (with --enable-speling) and install httpd-2.2.0]
[set "CheckSpelling On" in httpd.conf, and run httpd]
cd $PREFIX/htdocs
touch "lamp making"
touch "ramp making"
touch "&amp making"
[visit /camp%20making in a browser (tested with Firefox)]
[note the broken link to "& making"]

So mod_speling fails to perform html escaping on the uri-escaped filenames.

Not only that, it incorrectly escapes the "?" and contents of the query string
in variant spellings if a query string is included in the original request. For
example:

touch foo
touch goo
[visit /yoo?hoo=%3f in a browser]
[note the broken links to "foo%3fhoo=%253f" and "goo%3fhoo=%253f"]

So it needs to perform uri escaping only on the filename part of each URL and
then add the "?" and query string to produce the link. Plus html-escaping the
whole thing (see first example). 

As well, mod_speling output may include a link to the referring page. This link
needs to be html-escaped instead of being uri-escaped as it is now. It is
normally already uri-escaped by the browser, and double-escaping it will break
the link. For example, a referer URL of "http://example.com/foo?bar=%3f" becomes
"http://example.com/foo%3fbar=%253f", which refers to a resource named
"foo?bar=%3f" rather than a resource named "foo" plus a query string as
intended. If the browser isn't already sending properly escaped referer URLs,
then it probably deserves to be broken.

As best I can tell, these bugs are also present in the 1.3.x and 2.0.x versions
of mod_speling.

I'll plan to work on a patch later today unless someone else wants to do it.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message