httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From c...@apache.org
Subject cvs commit: httpd-2.0/server core.c request.c util.c
Date Thu, 08 May 2003 20:49:33 GMT
coar        2003/05/08 13:49:33

  Modified:    .        Tag: APACHE_2_0_BRANCH CHANGES STATUS
               include  Tag: APACHE_2_0_BRANCH ap_mmn.h http_core.h httpd.h
               server   Tag: APACHE_2_0_BRANCH core.c request.c util.c
  Log:
  	here we go.  add a directive that will keep %2f from being
  	decoded into '/', allowing the *_walk to do their magic and
  	return 404 if it's in the path, and allowing it in the path-info.
  	backported from 2.1 dev.
  
  PR:		14639 (et alia)
  Reviewed by:	nd, stoddard
  
  Revision  Changes    Path
  No                   revision
  
  
  No                   revision
  
  
  1.988.2.86 +6 -0      httpd-2.0/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/CHANGES,v
  retrieving revision 1.988.2.85
  retrieving revision 1.988.2.86
  diff -u -u -r1.988.2.85 -r1.988.2.86
  --- CHANGES	24 Apr 2003 16:16:17 -0000	1.988.2.85
  +++ CHANGES	8 May 2003 20:49:30 -0000	1.988.2.86
  @@ -1,5 +1,11 @@
   Changes with Apache 2.0.46
   
  +  *) Added AllowEncodedSlashes directive to permit control of whether
  +     the server will accept encoded slashes ('%2f') in the URI path.
  +     Default condition is off (the historical behaviour).  This permits
  +     environments in which the path-info needs to contain encoded
  +     slashes.  [Ken Coar]
  +
     *) When using Redirect in directory context, append requested query
        string if there's no one supplied by configuration. PR 10961.
        [André Malo]
  
  
  
  1.751.2.245 +1 -24     httpd-2.0/STATUS
  
  Index: STATUS
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/STATUS,v
  retrieving revision 1.751.2.244
  retrieving revision 1.751.2.245
  diff -u -u -r1.751.2.244 -r1.751.2.245
  --- STATUS	8 May 2003 14:21:11 -0000	1.751.2.244
  +++ STATUS	8 May 2003 20:49:31 -0000	1.751.2.245
  @@ -63,29 +63,6 @@
     [ please place file names and revisions from HEAD here, so it is easy to
       identify exactly what the proposed changes are! ]
   
  -    * AllowEncodedSlashes patch to permit %2f in path-info.
  -      CHANGES r1.1038
  -      include/ap_mmn.h r1.54 (based on r1.53)
  -      include/http_core.h r1.73
  -      include/httpd.h r1.193
  -      server/core.c r1.230
  -      server/request.c r1.123
  -      server/util.c r1.135
  -      +1: coar, nd, stoddard
  -      -0: wrowe
  -          nd: since it's inherited carefully (namely: not) and has to
  -              be explicitely turned on, I see no harm with that patch.
  -              (needs docs anyway!)
  -          wrowe: no veto here.  But I am now 100% convinced that it 
  -                 is altogether wrong to be rejecting any codes within 
  -                 the supposedly 'generic' ap_unparse_uri - and that the
  -                 rejection of %2f should occur elsewhere.
  -                 So in spirit I accept a more extreme version of coar's
  -                 patch, where a 'pure' _unparse_uri becomes the default.
  -                 But protection must be placed in dir_walk and some
  -                 consideration given to how this changes <Location >
  -                 block evaluation.
  -
       * Rewrite how proxy sends its request to allow input bodies to 
         morph the request bodies.  Previously, if an input filter
         changed the request body, the original C-L would be sent which
  
  
  
  No                   revision
  
  
  No                   revision
  
  
  1.52.2.3  +2 -1      httpd-2.0/include/ap_mmn.h
  
  Index: ap_mmn.h
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/include/ap_mmn.h,v
  retrieving revision 1.52.2.2
  retrieving revision 1.52.2.3
  diff -u -u -r1.52.2.2 -r1.52.2.3
  --- ap_mmn.h	4 Apr 2003 01:07:33 -0000	1.52.2.2
  +++ ap_mmn.h	8 May 2003 20:49:32 -0000	1.52.2.3
  @@ -112,6 +112,7 @@
    * 20020628 (2.0.40-dev) Added filter_init to filter registration functions
    * 20020903 (2.0.41-dev) APR's error constants changed
    * 20020903.2 (2.0.46-dev) add ap_escape_logitem (.1 is waiting for backport)
  + * 20020903.3 (2.0.46-dev) allow_encoded_slashes added to core_dir_config
    */
   
   #define MODULE_MAGIC_COOKIE 0x41503230UL /* "AP20" */
  @@ -119,7 +120,7 @@
   #ifndef MODULE_MAGIC_NUMBER_MAJOR
   #define MODULE_MAGIC_NUMBER_MAJOR 20020903
   #endif
  -#define MODULE_MAGIC_NUMBER_MINOR 2                     /* 0...n */
  +#define MODULE_MAGIC_NUMBER_MINOR 3                     /* 0...n */
   
   /**
    * Determine if the server's current MODULE_MAGIC_NUMBER is at least a
  
  
  
  1.70.2.2  +2 -1      httpd-2.0/include/http_core.h
  
  Index: http_core.h
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/include/http_core.h,v
  retrieving revision 1.70.2.1
  retrieving revision 1.70.2.2
  diff -u -u -r1.70.2.1 -r1.70.2.2
  --- http_core.h	3 Feb 2003 17:31:29 -0000	1.70.2.1
  +++ http_core.h	8 May 2003 20:49:32 -0000	1.70.2.2
  @@ -539,7 +539,8 @@
   #define ENABLE_SENDFILE_ON     (1)
   #define ENABLE_SENDFILE_UNSET  (2)
       unsigned int enable_sendfile : 2;  /* files in this dir can be mmap'ed */
  -
  +    unsigned int allow_encoded_slashes : 1; /* URLs may contain %2f w/o being
  +                                             * pitched indiscriminately */
   } core_dir_config;
   
   /* Per-server core configuration */
  
  
  
  1.191.2.4 +7 -1      httpd-2.0/include/httpd.h
  
  Index: httpd.h
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/include/httpd.h,v
  retrieving revision 1.191.2.3
  retrieving revision 1.191.2.4
  diff -u -u -r1.191.2.3 -r1.191.2.4
  --- httpd.h	4 Apr 2003 01:07:33 -0000	1.191.2.3
  +++ httpd.h	8 May 2003 20:49:32 -0000	1.191.2.4
  @@ -1314,10 +1314,16 @@
   
   /**
    * Unescape a URL
  - * @param url The url to unescapte
  + * @param url The url to unescape
    * @return 0 on success, non-zero otherwise
    */
   AP_DECLARE(int) ap_unescape_url(char *url);
  +/**
  + * Unescape a URL, but leaving %2f (slashes) escaped
  + * @param url The url to unescape
  + * @return 0 on success, non-zero otherwise
  + */
  +AP_DECLARE(int) ap_unescape_url_keep2f(char *url);
   /**
    * Convert all double slashes to single slashes
    * @param name The string to convert
  
  
  
  No                   revision
  
  
  No                   revision
  
  
  1.225.2.5 +18 -0     httpd-2.0/server/core.c
  
  Index: core.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/server/core.c,v
  retrieving revision 1.225.2.4
  retrieving revision 1.225.2.5
  diff -u -u -r1.225.2.4 -r1.225.2.5
  --- core.c	3 Feb 2003 17:32:00 -0000	1.225.2.4
  +++ core.c	8 May 2003 20:49:32 -0000	1.225.2.5
  @@ -182,6 +182,7 @@
   
       conf->enable_mmap = ENABLE_MMAP_UNSET;
       conf->enable_sendfile = ENABLE_SENDFILE_UNSET;
  +    conf->allow_encoded_slashes = 0;
   
       return (void *)conf;
   }
  @@ -452,6 +453,8 @@
           conf->enable_sendfile = new->enable_sendfile;
       }
   
  +    conf->allow_encoded_slashes = new->allow_encoded_slashes;
  +    
       return (void*)conf;
   }
   
  @@ -2087,6 +2090,19 @@
       return NULL;
   }
   
  +static const char *set_allow2f(cmd_parms *cmd, void *d_, int arg)
  +{
  +    core_dir_config *d = d_;
  +    const char *err = ap_check_cmd_context(cmd, NOT_IN_LIMIT);
  +
  +    if (err != NULL) {
  +        return err;
  +    }
  +
  +    d->allow_encoded_slashes = arg != 0;
  +    return NULL;
  +}
  +
   static const char *set_hostname_lookups(cmd_parms *cmd, void *d_,
                                           const char *arg)
   {
  @@ -3077,6 +3093,8 @@
   AP_INIT_ITERATE2("AddOutputFilterByType", add_ct_output_filters,
          (void *)APR_OFFSETOF(core_dir_config, ct_output_filters), OR_FILEINFO,
        "output filter name followed by one or more content-types"),
  +AP_INIT_FLAG("AllowEncodedSlashes", set_allow2f, NULL, RSRC_CONF,
  +             "Allow URLs containing '/' encoded as '%2F'"),
   
   /*
    * These are default configuration directives that mpms can/should
  
  
  
  1.121.2.4 +14 -5     httpd-2.0/server/request.c
  
  Index: request.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/server/request.c,v
  retrieving revision 1.121.2.3
  retrieving revision 1.121.2.4
  diff -u -u -r1.121.2.3 -r1.121.2.4
  --- request.c	3 Feb 2003 17:32:00 -0000	1.121.2.3
  +++ request.c	8 May 2003 20:49:32 -0000	1.121.2.4
  @@ -147,13 +147,22 @@
   
       /* Ignore embedded %2F's in path for proxy requests */
       if (!r->proxyreq && r->parsed_uri.path) {
  -        access_status = ap_unescape_url(r->parsed_uri.path);
  +        core_dir_config *d;
  +        d = ap_get_module_config(r->per_dir_config, &core_module);
  +        if (d->allow_encoded_slashes) {
  +            access_status = ap_unescape_url_keep2f(r->parsed_uri.path);
  +        }
  +        else {
  +            access_status = ap_unescape_url(r->parsed_uri.path);
  +        }
           if (access_status) {
               if (access_status == HTTP_NOT_FOUND) {
  -                ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
  -                              "found %%2f (encoded '/') in URI "
  -                              "(decoded='%s'), returning 404",
  -                              r->parsed_uri.path);
  +                if (! d->allow_encoded_slashes) {
  +                    ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
  +                                  "found %%2f (encoded '/') in URI "
  +                                  "(decoded='%s'), returning 404",
  +                                  r->parsed_uri.path);
  +                }
               }
               return access_status;
           }
  
  
  
  1.133.2.5 +51 -0     httpd-2.0/server/util.c
  
  Index: util.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/server/util.c,v
  retrieving revision 1.133.2.4
  retrieving revision 1.133.2.5
  diff -u -u -r1.133.2.4 -r1.133.2.5
  --- util.c	4 Apr 2003 01:07:33 -0000	1.133.2.4
  +++ util.c	8 May 2003 20:49:33 -0000	1.133.2.5
  @@ -1598,6 +1598,57 @@
           return OK;
   }
   
  +AP_DECLARE(int) ap_unescape_url_keep2f(char *url)
  +{
  +    register int badesc, badpath;
  +    char *x, *y;
  +
  +    badesc = 0;
  +    badpath = 0;
  +    /* Initial scan for first '%'. Don't bother writing values before
  +     * seeing a '%' */
  +    y = strchr(url, '%');
  +    if (y == NULL) {
  +        return OK;
  +    }
  +    for (x = y; *y; ++x, ++y) {
  +        if (*y != '%') {
  +            *x = *y;
  +        }
  +        else {
  +            if (!apr_isxdigit(*(y + 1)) || !apr_isxdigit(*(y + 2))) {
  +                badesc = 1;
  +                *x = '%';
  +            }
  +            else {
  +                char decoded;
  +                decoded = x2c(y + 1);
  +                if (IS_SLASH(decoded)) {
  +                    *x++ = *y++;
  +                    *x = *y;
  +                }
  +                else {
  +                    *x = decoded;
  +                    y += 2;
  +                    if (decoded == '\0') {
  +                        badpath = 1;
  +                    }
  +                }
  +            }
  +        }
  +    }
  +    *x = '\0';
  +    if (badesc) {
  +        return HTTP_BAD_REQUEST;
  +    }
  +    else if (badpath) {
  +        return HTTP_NOT_FOUND;
  +    }
  +    else {
  +        return OK;
  +    }
  +}
  +
   AP_DECLARE(char *) ap_construct_server(apr_pool_t *p, const char *hostname,
                                          apr_port_t port, const request_rec *r)
   {
  
  
  

Mime
View raw message