httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jor...@apache.org
Subject cvs commit: httpd-2.0/modules/dav/main mod_dav.c
Date Thu, 08 Jan 2004 13:08:57 GMT
jorton      2004/01/08 05:08:57

  Modified:    .        CHANGES
               modules/dav/main mod_dav.c
  Log:
  * modules/dav/main/mod_dav.c (dav_handler): Reject request if the
  Request-URI includes a fragment part, i.e. an unescaped #.
  
  PR: 21779
  Submitted by: Amit Athavale <amit_athavale@lycos.com>
  
  Revision  Changes    Path
  1.1353    +3 -0      httpd-2.0/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/CHANGES,v
  retrieving revision 1.1352
  retrieving revision 1.1353
  diff -b -d -u -r1.1352 -r1.1353
  --- CHANGES	7 Jan 2004 02:51:28 -0000	1.1352
  +++ CHANGES	8 Jan 2004 13:08:57 -0000	1.1353
  @@ -2,6 +2,9 @@
   
     [Remove entries to the current 2.0 section below, when backported]
   
  +  *) mod_dav: Disallow requests with an unescaped hash character in
  +     the Request-URI.  PR 21779.  Amit Athavale <amit_athavale lycos.com>
  +
     *) Add forensic logging module (mod_log_forensic).
        [Ben Laurie]
   
  
  
  
  1.103     +10 -0     httpd-2.0/modules/dav/main/mod_dav.c
  
  Index: mod_dav.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/dav/main/mod_dav.c,v
  retrieving revision 1.102
  retrieving revision 1.103
  diff -b -d -u -r1.102 -r1.103
  --- mod_dav.c	1 Jan 2004 13:26:18 -0000	1.102
  +++ mod_dav.c	8 Jan 2004 13:08:57 -0000	1.103
  @@ -4563,6 +4563,16 @@
       if (strcmp(r->handler, DAV_HANDLER_NAME) != 0)
           return DECLINED;
   
  +    /* Reject requests with an unescaped hash character, as these may
  +     * be more destructive than the user intended. */
  +    if (r->parsed_uri.fragment != NULL) {
  +        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
  +                     "buggy client used un-escaped hash in Request-URI");
  +        return dav_error_response(r, HTTP_BAD_REQUEST, 
  +                                  "The request was invalid: the URI included "
  +                                  "an un-escaped hash character");
  +    }
  +
       /* ### do we need to do anything with r->proxyreq ?? */
   
       /*
  
  
  

Mime
View raw message