httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 53910] New: If: check spuriously succeeds with %-encoded URL and ETag qualifier
Date Fri, 21 Sep 2012 04:58:20 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=53910

          Priority: P2
            Bug ID: 53910
          Assignee: bugs@httpd.apache.org
           Summary: If: check spuriously succeeds with %-encoded URL and
                    ETag qualifier
          Severity: normal
    Classification: Unclassified
                OS: other
          Reporter: tjw@omnigroup.com
          Hardware: Macintosh
            Status: NEW
           Version: 2.4.3
         Component: mod_dav
           Product: Apache httpd-2

Created attachment 29401
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=29401&action=edit
Patch

Using a clean build of httpd-2.4.3, I'm seeing the following behavior:

 * Make a collection
 * Get its ETag with PROPFIND Depth=0
 * Add an item to the collection
 * httpd reports a new ETag for the collection at this point
 * Attempt a MOVE of the collection to a new name, predicated with the OLD
ETag, using an "If" header of </src/> (["ETag"])
 * Expect a precondition failure error

I get a proper 412 precondition failure if the source and destination are
"/src/" and "/dst/", but if I use percent escapes in the URLs the MOVE
spuriously succeeds (for example, if I use "/s%20r%20c/" and "/d%20s%20t/".

I've you'd like to see or try specifically my case, I've submitted a patch to
litmus
<http://lists.manyfish.co.uk/pipermail/litmus/2012-September/000344.html>.

A possible patch to fix the problem is attached -- when parsing the If header,
make sure to unescape the URI in the If header. dav_validate_resource_state()
compare a resource URI (which was already unescaped) with a dav_if_header's URI
(which was not unescaped while parsing the If header).

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message