httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From f...@locus.apache.org
Subject cvs commit: apache-2.0/src/modules/standard mod_rewrite.c mod_rewrite.h
Date Sat, 23 Sep 2000 00:05:46 GMT
fanf        00/09/22 17:05:45

  Modified:    src      CHANGES
               src/modules/standard mod_rewrite.c mod_rewrite.h
  Log:
  Fix a security problem that affects certain configurations of mod_rewrite.
  If the result of a RewriteRule is a filename that contains expansion
  specifiers, especially regexp backreferences $0..$9 and %0..%9, then it
  may be possible for an attacker to access any file on the web server.
  The fix replaces a multi-pass string expander with a one-pass expander,
  and includes the code quality improvements that were committed separately
  to 1.3.
  
  Message-Id: <E13OQB5-0004Xs-00@hand.dotat.at>
  
  Revision  Changes    Path
  1.236     +6 -0      apache-2.0/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/apache-2.0/src/CHANGES,v
  retrieving revision 1.235
  retrieving revision 1.236
  diff -u -u -r1.235 -r1.236
  --- CHANGES	2000/09/22 20:08:41	1.235
  +++ CHANGES	2000/09/23 00:05:44	1.236
  @@ -1,5 +1,11 @@
   Changes with Apache 2.0a7
   
  +  *) Fix a security problem that affects certain configurations of
  +     mod_rewrite. If the result of a RewriteRule is a filename that
  +     contains expansion specifiers, especially regexp backreferences
  +     $0..$9 and %0..%9, then it may be possible for an attacker to
  +     access any file on the web server. [Tony Finch]
  +
     *) Fix a bug where errors that are detected during early request parsing
        don't produce visible HTTP error messages at the browser, because
        the core_filter wasn't present.  [Greg Ames]
  
  
  
  1.41      +175 -311  apache-2.0/src/modules/standard/mod_rewrite.c
  
  Index: mod_rewrite.c
  ===================================================================
  RCS file: /home/cvs/apache-2.0/src/modules/standard/mod_rewrite.c,v
  retrieving revision 1.40
  retrieving revision 1.41
  diff -u -u -r1.40 -r1.41
  --- mod_rewrite.c	2000/08/21 19:09:01	1.40
  +++ mod_rewrite.c	2000/09/23 00:05:45	1.41
  @@ -1192,20 +1192,7 @@
                          r->filename);
               return OK;
           }
  -        else if (  (strlen(r->filename) > 7 &&
  -                    strncasecmp(r->filename, "http://",   7) == 0)
  -                || (strlen(r->filename) > 8 &&
  -                    strncasecmp(r->filename, "https://",  8) == 0)
  -                || (strlen(r->filename) > 9 &&
  -                    strncasecmp(r->filename, "gopher://", 9) == 0)
  -                || (strlen(r->filename) > 6 &&
  -                    strncasecmp(r->filename, "ftp://",    6) == 0)
  -                || (strlen(r->filename) > 5 &&
  -                    strncasecmp(r->filename, "ldap:",     5) == 0)
  -                || (strlen(r->filename) > 5 &&
  -                    strncasecmp(r->filename, "news:",     5) == 0)
  -                || (strlen(r->filename) > 7 &&
  -                    strncasecmp(r->filename, "mailto:",   7) == 0)) {
  +        else if (is_absolute_uri(r->filename)) {
               /* it was finally rewritten to a remote URL */
   
               /* skip 'scheme:' */
  @@ -1456,20 +1443,7 @@
                          "%s [OK]", dconf->directory, r->filename);
               return OK;
           }
  -        else if (  (strlen(r->filename) > 7 &&
  -                    strncasecmp(r->filename, "http://",   7) == 0)
  -                || (strlen(r->filename) > 8 &&          
  -                    strncasecmp(r->filename, "https://",  8) == 0)
  -                || (strlen(r->filename) > 9 &&
  -                    strncasecmp(r->filename, "gopher://", 9) == 0)
  -                || (strlen(r->filename) > 6 &&
  -                    strncasecmp(r->filename, "ftp://",    6) == 0)
  -                || (strlen(r->filename) > 5 &&
  -                    strncasecmp(r->filename, "ldap:",     5) == 0)
  -                || (strlen(r->filename) > 5 &&
  -                    strncasecmp(r->filename, "news:",     5) == 0)
  -                || (strlen(r->filename) > 7 &&
  -                    strncasecmp(r->filename, "mailto:",   7) == 0)) {
  +        else if (is_absolute_uri(r->filename)) {
               /* it was finally rewritten to a remote URL */
   
               /* because we are in a per-dir context
  @@ -1807,7 +1781,6 @@
       char *output;
       const char *vary;
       char newuri[MAX_STRING_LEN];
  -    char env[MAX_STRING_LEN];
       regex_t *regexp;
       regmatch_t regmatch[MAX_NMATCH];
       backrefinfo *briRR = NULL;
  @@ -1975,20 +1948,7 @@
        *  (`RewriteRule <pat> - [E=...]')
        */
       if (strcmp(output, "-") == 0) {
  -        for (i = 0; p->env[i] != NULL; i++) {
  -            /*  1. take the string  */
  -            apr_cpystrn(env, p->env[i], sizeof(env));
  -            /*  2. expand $N (i.e. backrefs to RewriteRule pattern)  */
  -            expand_backref_inbuffer(r->pool, env, sizeof(env), briRR, '$');
  -            /*  3. expand %N (i.e. backrefs to latest RewriteCond pattern)  */
  -            expand_backref_inbuffer(r->pool, env, sizeof(env), briRC, '%');
  -            /*  4. expand %{...} (i.e. variables) */
  -            expand_variables_inbuffer(r, env, sizeof(env));
  -            /*  5. expand ${...} (RewriteMap lookups)  */
  -            expand_map_lookups(r, env, sizeof(env));
  -            /*  and add the variable to Apache's structures  */
  -            add_env_variable(r, env);
  -        }
  +	do_expand_env(r, p->env, briRR, briRC);
           if (p->forced_mimetype != NULL) {
               if (perdir == NULL) {
                   /* In the per-server context we can force the MIME-type
  @@ -2023,17 +1983,7 @@
        *  that there is something to replace, so we create the
        *  substitution URL string in `newuri'.
        */
  -    /*  1. take the output string  */
  -    apr_cpystrn(newuri, output, sizeof(newuri));
  -    /*  2. expand $N (i.e. backrefs to RewriteRule pattern)  */
  -    expand_backref_inbuffer(r->pool, newuri, sizeof(newuri), briRR, '$');
  -    /*  3. expand %N (i.e. backrefs to latest RewriteCond pattern)  */
  -    expand_backref_inbuffer(r->pool, newuri, sizeof(newuri), briRC, '%');
  -    /*  4. expand %{...} (i.e. variables) */
  -    expand_variables_inbuffer(r, newuri, sizeof(newuri));
  -    /*  5. expand ${...} (RewriteMap lookups)  */
  -    expand_map_lookups(r, newuri, sizeof(newuri));
  -    /*  and log the result... */
  +    do_expand(r, output, newuri, sizeof(newuri), briRR, briRC);
       if (perdir == NULL) {
           rewritelog(r, 2, "rewrite %s -> %s", uri, newuri);
       }
  @@ -2045,20 +1995,7 @@
        *  Additionally do expansion for the environment variable
        *  strings (`RewriteRule .. .. [E=<string>]').
        */
  -    for (i = 0; p->env[i] != NULL; i++) {
  -        /*  1. take the string  */
  -        apr_cpystrn(env, p->env[i], sizeof(env));
  -        /*  2. expand $N (i.e. backrefs to RewriteRule pattern)  */
  -        expand_backref_inbuffer(r->pool, env, sizeof(env), briRR, '$');
  -        /*  3. expand %N (i.e. backrefs to latest RewriteCond pattern)  */
  -        expand_backref_inbuffer(r->pool, env, sizeof(env), briRC, '%');
  -        /*  4. expand %{...} (i.e. variables) */
  -        expand_variables_inbuffer(r, env, sizeof(env));
  -        /*  5. expand ${...} (RewriteMap lookups)  */
  -        expand_map_lookups(r, env, sizeof(env));
  -        /*  and add the variable to Apache's structures  */
  -        add_env_variable(r, env);
  -    }
  +    do_expand_env(r, p->env, briRR, briRC);
   
       /*
        *  Now replace API's knowledge of the current URI:
  @@ -2074,16 +2011,8 @@
        *   location, i.e. if it's not starting with either a slash
        *   or a fully qualified URL scheme.
        */
  -    i = strlen(r->filename);
  -    if (   prefixstrip
  -        && !(   r->filename[0] == '/'
  -             || (   (i > 7 && strncasecmp(r->filename, "http://",   7) ==
0)
  -                 || (i > 8 && strncasecmp(r->filename, "https://",  8) ==
0)
  -                 || (i > 9 && strncasecmp(r->filename, "gopher://", 9) ==
0)
  -                 || (i > 6 && strncasecmp(r->filename, "ftp://",    6) ==
0)
  -                 || (i > 5 && strncasecmp(r->filename, "ldap:",     5) ==
0)
  -                 || (i > 5 && strncasecmp(r->filename, "news:",     5) ==
0)
  -                 || (i > 7 && strncasecmp(r->filename, "mailto:",   7) ==
0)))) {
  +    if (prefixstrip && r->filename[0] != '/'
  +	&& !is_absolute_uri(r->filename)) {
           rewritelog(r, 3, "[per-dir %s] add per-dir prefix: %s -> %s%s",
                      perdir, r->filename, perdir, r->filename);
           r->filename = apr_pstrcat(r->pool, perdir, r->filename, NULL);
  @@ -2147,14 +2076,7 @@
        *  redirection (`RewriteRule .. <scheme>://...') then
        *  directly force an external HTTP redirect.
        */
  -    i = strlen(r->filename);
  -    if (   (i > 7 && strncasecmp(r->filename, "http://",   7) == 0)
  -        || (i > 8 && strncasecmp(r->filename, "https://",  8) == 0)
  -        || (i > 9 && strncasecmp(r->filename, "gopher://", 9) == 0)
  -        || (i > 6 && strncasecmp(r->filename, "ftp://",    6) == 0)
  -        || (i > 5 && strncasecmp(r->filename, "ldap:",     5) == 0)
  -        || (i > 5 && strncasecmp(r->filename, "news:",     5) == 0)
  -        || (i > 7 && strncasecmp(r->filename, "mailto:",   7) == 0) ) {
  +    if (is_absolute_uri(r->filename)) {
           if (perdir == NULL) {
               rewritelog(r, 2,
                          "implicitly forcing redirect (rc=%d) with %s",
  @@ -2225,16 +2147,7 @@
        *   Construct the string we match against
        */
   
  -    /*  1. take the string  */
  -    apr_cpystrn(input, p->input, sizeof(input));
  -    /*  2. expand $N (i.e. backrefs to RewriteRule pattern)  */
  -    expand_backref_inbuffer(r->pool, input, sizeof(input), briRR, '$');
  -    /*  3. expand %N (i.e. backrefs to latest RewriteCond pattern)  */
  -    expand_backref_inbuffer(r->pool, input, sizeof(input), briRC, '%');
  -    /*  4. expand %{...} (i.e. variables) */
  -    expand_variables_inbuffer(r, input, sizeof(input));
  -    /*  5. expand ${...} (RewriteMap lookups)  */
  -    expand_map_lookups(r, input, sizeof(input));
  +    do_expand(r, p->input, input, sizeof(input), briRR, briRC);
   
       /*
        *   Apply the patterns
  @@ -2273,12 +2186,7 @@
       }
       else if (strcmp(p->pattern, "-U") == 0) {
           /* avoid infinite subrequest recursion */
  -        if (strlen(input) > 0               /* nonempty path, and            */
  -            && (   r->main == NULL          /* - either not in a subrequest
 */
  -                || (   r->main->uri != NULL /* - or in a subrequest...       */
  -                    && r->uri != NULL       /*   ...and URIs aren't NULL...
 */
  -                                            /*   ...and sub/main URIs differ */
  -                    && strcmp(r->main->uri, r->uri) != 0) ) ) {
  +        if (strlen(input) > 0 && subreq_ok(r)) {
   
               /* run a URI-based subrequest */
               rsub = ap_sub_req_lookup_uri(input, r);
  @@ -2297,12 +2205,7 @@
       }
       else if (strcmp(p->pattern, "-F") == 0) {
           /* avoid infinite subrequest recursion */
  -        if (strlen(input) > 0               /* nonempty path, and            */
  -            && (   r->main == NULL          /* - either not in a subrequest
 */
  -                || (   r->main->uri != NULL /* - or in a subrequest...       */
  -                    && r->uri != NULL       /*   ...and URIs aren't NULL...
 */
  -                                            /*   ...and sub/main URIs differ */
  -                    && strcmp(r->main->uri, r->uri) != 0) ) ) {
  +        if (strlen(input) > 0 && subreq_ok(r)) {
   
               /* process a file-based subrequest:
                * this differs from -U in that no path translation is done.
  @@ -2376,6 +2279,139 @@
   ** +-------------------------------------------------------+
   */
   
  +
  +/*
  +**
  +**  perform all the expansions on the input string
  +**  leaving the result in the supplied buffer
  +**
  +*/
  +
  +static void do_expand(request_rec *r, char *input, char *buffer, int nbuf,
  +		       backrefinfo *briRR, backrefinfo *briRC)
  +{
  +    char *inp, *outp;
  +    size_t span, space;
  +
  +    /*
  +     * for security reasons this expansion must be perfomed in a
  +     * single pass, otherwise an attacker can arrange for the result
  +     * of an earlier expansion to include expansion specifiers that
  +     * are interpreted by a later expansion, producing results that
  +     * were not intended by the administrator.
  +     */
  +
  +    inp = input;
  +    outp = buffer;
  +    space = nbuf - 1; /* room for '\0' */
  +
  +    for (;;) {
  +	span = strcspn(inp, "$%");
  +	if (span > space) {
  +	    span = space;
  +	}
  +	memcpy(outp, inp, span);
  +	inp += span;
  +	outp += span;
  +	space -= span;
  +	if (space == 0 || *inp == '\0') {
  +	    break;
  +	}
  +	/* now we have a '$' or a '%' */
  +	if (inp[1] == '{') {
  +	    char *endp;
  +	    endp = strchr(inp, '}');
  +	    if (endp == NULL) {
  +		goto skip;
  +	    }
  +	    *endp = '\0';
  +	    if (inp[0] == '$') {
  +		/* ${...} map lookup expansion */
  +		char *key, *dflt, *result;
  +		key = strchr(inp, ':');
  +		if (key == NULL) {
  +		    goto skip;
  +		}
  +		*key++ = '\0';
  +		dflt = strchr(key, '|');
  +		if (dflt) {
  +		    *dflt++ = '\0';
  +		}
  +		result = lookup_map(r, inp+2, key);
  +		if (result == NULL) {
  +		    result = dflt ? dflt : "";
  +		}
  +		span = apr_cpystrn(outp, result, space) - outp;
  +		key[-1] = ':';
  +		if (dflt) {
  +		    dflt[-1] = '|';
  +		}
  +	    }
  +	    else if (inp[0] == '%') {
  +		/* %{...} variable lookup expansion */
  +		span = apr_cpystrn(outp, lookup_variable(r, inp+2), space) - outp;
  +	    }
  +	    else {
  +		span = 0;
  +	    }
  +	    *endp = '}';
  +	    inp = endp+1;
  +	    outp += span;
  +	    space -= span;
  +	    continue;
  +	}
  +	else if (apr_isdigit(inp[1])) {
  +	    int n = inp[1] - '0';
  +	    backrefinfo *bri = NULL;
  +	    if (inp[0] == '$') {
  +		/* $N RewriteRule regexp backref expansion */
  +		bri = briRR;
  +	    }
  +	    else if (inp[0] == '%') {
  +		/* %N RewriteCond regexp backref expansion */
  +		bri = briRC;
  +	    }
  +	    /* see ap_pregsub() in src/main/util.c */
  +            if (bri && n <= bri->nsub &&
  +		bri->regmatch[n].rm_eo > bri->regmatch[n].rm_so) {
  +		span = bri->regmatch[n].rm_eo - bri->regmatch[n].rm_so;
  +		if (span > space) {
  +		    span = space;
  +		}
  +		memcpy(outp, bri->source + bri->regmatch[n].rm_so, span);
  +		outp += span;
  +		space -= span;
  +	    }
  +	    inp += 2;
  +	    continue;
  +	}
  +    skip:
  +	*outp++ = *inp++;
  +	space--;
  +    }
  +    *outp++ = '\0';
  +}
  +
  +
  +/*
  +**
  +**  perform all the expansions on the environment variables
  +**
  +*/
  +
  +static void do_expand_env(request_rec *r, char *env[],
  +			  backrefinfo *briRR, backrefinfo *briRC)
  +{
  +    int i;
  +    char buf[MAX_STRING_LEN];
  +
  +    for (i = 0; env[i] != NULL; i++) {
  +	do_expand(r, env[i], buf, sizeof(buf), briRR, briRC);
  +	add_env_variable(r, buf);
  +    }
  +}
  +
  +
   /*
   **
   **  split out a QUERY_STRING part from
  @@ -2504,20 +2540,12 @@
   
   static void fully_qualify_uri(request_rec *r)
   {
  -    int i;
       char buf[32];
       const char *thisserver;
       char *thisport;
       int port;
   
  -    i = strlen(r->filename);
  -    if (!(   (i > 7 && strncasecmp(r->filename, "http://",   7) == 0)
  -          || (i > 8 && strncasecmp(r->filename, "https://",  8) == 0)
  -          || (i > 9 && strncasecmp(r->filename, "gopher://", 9) == 0)
  -          || (i > 6 && strncasecmp(r->filename, "ftp://",    6) == 0)
  -          || (i > 5 && strncasecmp(r->filename, "ldap:",     5) == 0)
  -          || (i > 5 && strncasecmp(r->filename, "news:",     5) == 0)
  -          || (i > 7 && strncasecmp(r->filename, "mailto:",   7) == 0))) {
  +    if (!is_absolute_uri(r->filename)) {
   
           thisserver = ap_get_server_name(r);
           port = ap_get_server_port(r);
  @@ -2546,45 +2574,24 @@
   
   /*
   **
  -**  Expand the %0-%9 or $0-$9 regex backreferences
  +**  return non-zero if the URI is absolute (includes a scheme etc.)
   **
   */
   
  -static void expand_backref_inbuffer(apr_pool_t *p, char *buf, int nbuf,
  -                                    backrefinfo *bri, char c)
  +static int is_absolute_uri(char *uri)
   {
  -    register int i;
  -
  -    /* protect existing $N and & backrefs and replace <c>N with $N backrefs */
  -    for (i = 0; buf[i] != '\0' && i < nbuf; i++) {
  -        if (buf[i] == '\\' && (buf[i+1] != '\0' && i < (nbuf-1))) {
  -            i++; /* protect next */
  -        }
  -        else if (buf[i] == '&') {
  -            buf[i] = '\001';
  -        }
  -        else if (c != '$' && buf[i] == '$' && (buf[i+1] >= '0' &&
buf[i+1] <= '9')) {
  -            buf[i] = '\002';
  -            i++; /* speedup */
  -        }
  -        else if (buf[i] == c && (buf[i+1] >= '0' && buf[i+1] <= '9'))
{
  -            buf[i] = '$';
  -            i++; /* speedup */
  -        }
  +    int i = strlen(uri);
  +    if (   (i > 7 && strncasecmp(uri, "http://",   7) == 0)
  +        || (i > 8 && strncasecmp(uri, "https://",  8) == 0)
  +        || (i > 9 && strncasecmp(uri, "gopher://", 9) == 0)
  +        || (i > 6 && strncasecmp(uri, "ftp://",    6) == 0)
  +        || (i > 5 && strncasecmp(uri, "ldap:",     5) == 0)
  +        || (i > 5 && strncasecmp(uri, "news:",     5) == 0)
  +        || (i > 7 && strncasecmp(uri, "mailto:",   7) == 0) ) {
  +	return 1;
       }
  -
  -    /* now apply the standard regex substitution function */
  -    apr_cpystrn(buf, ap_pregsub(p, buf, bri->source,
  -                               bri->nsub+1, bri->regmatch), nbuf);
  -
  -    /* restore the original $N and & backrefs */
  -    for (i = 0; buf[i] != '\0' && i < nbuf; i++) {
  -        if (buf[i] == '\001') {
  -            buf[i] = '&';
  -        }
  -        else if (buf[i] == '\002') {
  -            buf[i] = '$';
  -        }
  +    else {
  +	return 0;
       }
   }
   
  @@ -2633,119 +2640,6 @@
   }
   #endif
   
  -/*
  -**
  -**  mapfile expansion support
  -**  i.e. expansion of MAP lookup directives
  -**  ${<mapname>:<key>} in RewriteRule rhs
  -**
  -*/
  -
  -#define limit_length(n) (n > LONG_STRING_LEN-1 ? LONG_STRING_LEN-1 : n)
  -
  -static void expand_map_lookups(request_rec *r, char *uri, int uri_len)
  -{
  -    char newuri[MAX_STRING_LEN];
  -    char *cpI;
  -    char *cpIE;
  -    char *cpO;
  -    char *cpT;
  -    char *cpT2;
  -    char mapname[LONG_STRING_LEN];
  -    char mapkey[LONG_STRING_LEN];
  -    char defaultvalue[LONG_STRING_LEN];
  -    int n;
  -
  -    cpI = uri;
  -    cpIE = cpI+strlen(cpI);
  -    cpO = newuri;
  -    while (cpI < cpIE) {
  -        if (cpI+6 < cpIE && strncmp(cpI, "${", 2) == 0) {
  -            /* missing delimiter -> take it as plain text */
  -            if (   strchr(cpI+2, ':') == NULL
  -                || strchr(cpI+2, '}') == NULL) {
  -                memcpy(cpO, cpI, 2);
  -                cpO += 2;
  -                cpI += 2;
  -                continue;
  -            }
  -            cpI += 2;
  -
  -            cpT = strchr(cpI, ':');
  -            n = cpT-cpI;
  -            memcpy(mapname, cpI, limit_length(n));
  -            mapname[limit_length(n)] = '\0';
  -            cpI += n+1;
  -
  -            cpT2 = strchr(cpI, '|');
  -            cpT = strchr(cpI, '}');
  -            if (cpT2 != NULL && cpT2 < cpT) {
  -                n = cpT2-cpI;
  -                memcpy(mapkey, cpI, limit_length(n));
  -                mapkey[limit_length(n)] = '\0';
  -                cpI += n+1;
  -
  -                n = cpT-cpI;
  -                memcpy(defaultvalue, cpI, limit_length(n));
  -                defaultvalue[limit_length(n)] = '\0';
  -                cpI += n+1;
  -            }
  -            else {
  -                n = cpT-cpI;
  -                memcpy(mapkey, cpI, limit_length(n));
  -                mapkey[limit_length(n)] = '\0';
  -                cpI += n+1;
  -
  -                defaultvalue[0] = '\0';
  -            }
  -
  -            cpT = lookup_map(r, mapname, mapkey);
  -            if (cpT != NULL) {
  -                n = strlen(cpT);
  -                if (cpO + n >= newuri + sizeof(newuri)) {
  -                    ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR,
  -                                 0, r, "insufficient space in "
  -                                 "expand_map_lookups, aborting");
  -                    return;
  -                }
  -                memcpy(cpO, cpT, n);
  -                cpO += n;
  -            }
  -            else {
  -                n = strlen(defaultvalue);
  -                if (cpO + n >= newuri + sizeof(newuri)) {
  -                    ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 
  -                                 0, r, "insufficient space in "
  -                                 "expand_map_lookups, aborting");
  -                    return;
  -                }
  -                memcpy(cpO, defaultvalue, n);
  -                cpO += n;
  -            }
  -        }
  -        else {
  -            cpT = strstr(cpI, "${");
  -            if (cpT == NULL)
  -                cpT = cpI+strlen(cpI);
  -            n = cpT-cpI;
  -            if (cpO + n >= newuri + sizeof(newuri)) {
  -                ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 
  -                             0, r, "insufficient space in "
  -                             "expand_map_lookups, aborting");
  -                return;
  -            }
  -            memcpy(cpO, cpI, n);
  -            cpO += n;
  -            cpI += n;
  -        }
  -    }
  -    *cpO = '\0';
  -    apr_cpystrn(uri, newuri, uri_len);
  -    return;
  -}
  -
  -#undef limit_length
  -
   
   
   /*
  @@ -3503,53 +3397,6 @@
   */
   
   
  -static void expand_variables_inbuffer(request_rec *r, char *buf, int buf_len)
  -{
  -    char *newbuf;
  -    newbuf = expand_variables(r, buf);
  -    if (strcmp(newbuf, buf) != 0) {
  -        apr_cpystrn(buf, newbuf, buf_len);
  -    }
  -    return;
  -}
  -
  -static char *expand_variables(request_rec *r, char *str)
  -{
  -    char output[MAX_STRING_LEN];
  -    char input[MAX_STRING_LEN];
  -    char *cp;
  -    char *cp2;
  -    char *cp3;
  -    int expanded;
  -    char *outp;
  -    char *endp;
  -
  -    apr_cpystrn(input, str, sizeof(input));
  -    output[0] = '\0';
  -    outp = output;
  -    endp = output + sizeof(output);
  -    expanded = 0;
  -    for (cp = input; cp < input+MAX_STRING_LEN; ) {
  -        if ((cp2 = strstr(cp, "%{")) != NULL) {
  -            if ((cp3 = strstr(cp2, "}")) != NULL) {
  -                *cp2 = '\0';
  -                outp = apr_cpystrn(outp, cp, endp - outp);
  -
  -                cp2 += 2;
  -                *cp3 = '\0';
  -                outp = apr_cpystrn(outp, lookup_variable(r, cp2), endp - outp);
  -
  -                cp = cp3+1;
  -                expanded = 1;
  -                continue;
  -            }
  -        }
  -        outp = apr_cpystrn(outp, cp, endp - outp);
  -        break;
  -    }
  -    return expanded ? apr_pstrdup(r->pool, output) : str;
  -}
  -
   static char *lookup_variable(request_rec *r, char *var)
   {
       const char *result;
  @@ -4163,6 +4010,23 @@
       }
   }
   
  +
  +/*
  +**
  +**  check that a subrequest won't cause infinite recursion
  +**
  +*/
  +
  +static int subreq_ok(request_rec *r)
  +{
  +    /*
  +     * either not in a subrequest, or in a subrequest
  +     * and URIs aren't NULL and sub/main URIs differ
  +     */
  +    return (r->main == NULL ||
  +	    (r->main->uri != NULL && r->uri != NULL &&
  +	     strcmp(r->main->uri, r->uri) != 0));
  +}
   
   
   /*
  
  
  
  1.18      +7 -5      apache-2.0/src/modules/standard/mod_rewrite.h
  
  Index: mod_rewrite.h
  ===================================================================
  RCS file: /home/cvs/apache-2.0/src/modules/standard/mod_rewrite.h,v
  retrieving revision 1.17
  retrieving revision 1.18
  diff -u -u -r1.17 -r1.18
  --- mod_rewrite.h	2000/08/21 19:09:01	1.17
  +++ mod_rewrite.h	2000/09/23 00:05:45	1.18
  @@ -398,14 +398,17 @@
                                 char *perdir, backrefinfo *briRR,
                                 backrefinfo *briRC);
   
  +static void do_expand(request_rec *r, char *input, char *buffer, int nbuf,
  +		      backrefinfo *briRR, backrefinfo *briRC);
  +static void do_expand_env(request_rec *r, char *env[],
  +			  backrefinfo *briRR, backrefinfo *briRC);
  +
       /* URI transformation function */
   static void  splitout_queryargs(request_rec *r, int qsappend);
   static void  fully_qualify_uri(request_rec *r);
   static void  reduce_uri(request_rec *r);
  -static void  expand_backref_inbuffer(apr_pool_t *p, char *buf, int nbuf,
  -                                     backrefinfo *bri, char c);
  +static int   is_absolute_uri(char *uri);
   static char *expand_tildepaths(request_rec *r, char *uri);
  -static void  expand_map_lookups(request_rec *r, char *uri, int uri_len);
   
       /* rewrite map support functions */
   static char *lookup_map(request_rec *r, char *name, char *key);
  @@ -443,8 +446,6 @@
                                                apr_file_t **fperr);
   
       /* env variable support */
  -static void  expand_variables_inbuffer(request_rec *r, char *buf, int buf_len);
  -static char *expand_variables(request_rec *r, char *str);
   static char *lookup_variable(request_rec *r, char *var);
   static char *lookup_header(request_rec *r, const char *name);
   
  @@ -463,6 +464,7 @@
   static int    parseargline(char *str, char **a1, char **a2, char **a3);
   static int    prefix_stat(const char *path, apr_finfo_t *sb);
   static void   add_env_variable(request_rec *r, char *s);
  +static int    subreq_ok(request_rec *r);
   
       /* Lexicographic Comparison */
   static int compare_lexicography(char *cpNum1, char *cpNum2);
  
  
  

Mime
View raw message