httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jor...@apache.org
Subject cvs commit: httpd-2.0 CHANGES
Date Fri, 30 Jan 2004 13:19:25 GMT
jorton      2004/01/30 05:19:25

  Modified:    modules/dav/main Tag: APACHE_2_0_BRANCH mod_dav.c
               .        Tag: APACHE_2_0_BRANCH CHANGES
  Log:
  * modules/dav/main/mod_dav.c (dav_handler): Reject request if the
  Request-URI includes a fragment part, i.e. an unescaped #.
  
  PR: 21779
  Submitted by: Amit Athavale <amit_athavale@lycos.com>
  Reviewed by: Joe Orton, André Malo, Justin Erenkrantz
  
  Revision  Changes    Path
  No                   revision
  No                   revision
  1.91.2.7  +10 -0     httpd-2.0/modules/dav/main/mod_dav.c
  
  Index: mod_dav.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/dav/main/mod_dav.c,v
  retrieving revision 1.91.2.6
  retrieving revision 1.91.2.7
  diff -b -d -u -r1.91.2.6 -r1.91.2.7
  --- mod_dav.c	1 Jan 2004 13:30:38 -0000	1.91.2.6
  +++ mod_dav.c	30 Jan 2004 13:19:24 -0000	1.91.2.7
  @@ -4559,6 +4559,16 @@
       if (strcmp(r->handler, DAV_HANDLER_NAME) != 0)
           return DECLINED;
   
  +    /* Reject requests with an unescaped hash character, as these may
  +     * be more destructive than the user intended. */
  +    if (r->parsed_uri.fragment != NULL) {
  +        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
  +                     "buggy client used un-escaped hash in Request-URI");
  +        return dav_error_response(r, HTTP_BAD_REQUEST, 
  +                                  "The request was invalid: the URI included "
  +                                  "an un-escaped hash character");
  +    }
  +
       /* ### do we need to do anything with r->proxyreq ?? */
   
       /*
  
  
  
  No                   revision
  No                   revision
  1.988.2.228 +3 -0      httpd-2.0/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/CHANGES,v
  retrieving revision 1.988.2.227
  retrieving revision 1.988.2.228
  diff -b -d -u -r1.988.2.227 -r1.988.2.228
  --- CHANGES	30 Jan 2004 13:13:30 -0000	1.988.2.227
  +++ CHANGES	30 Jan 2004 13:19:24 -0000	1.988.2.228
  @@ -1,5 +1,8 @@
   Changes with Apache 2.0.49
   
  +  *) mod_dav: Reject requests which include an unescaped fragment in the
  +     Request-URI.  PR 21779.  [Amit Athavale <amit_athavale lycos.com>]
  +
     *) Build array of allowed methods with proper dimensions, fixing
        possible memory corruption.  [Jeff Trawick]
   
  
  
  

Mime
View raw message