httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Malo ...@perlig.de>
Subject Re: *Match, RewriteRule POLA violation?
Date Fri, 01 May 2015 15:52:45 GMT
* Niklas Edmundsson wrote:

> On Thu, 30 Apr 2015, Yann Ylavic wrote:
> > On Thu, Apr 30, 2015 at 2:57 PM, Jim Riggs <apache-lists@riggs.me> 
wrote:
> >> Thanks, Yann. I remember looking at this code before. The question
> >> remains, though: Is it currently "wrong"? Does it need to be "fixed",
> >> or was this distinction made intentionally? Is there a specific use
> >> case that requires the regex-matching directives to not get
> >> slash-normalized URIs?
> >
> > I would like it to be fixed, non leading "/+" is equivalent to "/",
> > this would break very few (if any) cases IMHO, and may even unbreak
> > more ones .
>
> +1
>
> I would expect Location and LocationMatch using the same uri for
> comparison.

Hmm, that assumption is wrong by definition. Location always matches a 
prefix (a part of a parsed/unparsed url), while LocationMatch always 
matches the complete URL.

> I would actually go so far as the current state might 
> warrant a CVE for being a hidden security risk that might cause
> inadvertent information exposure.

It *is* documented right here, btw: 
http://httpd.apache.org/docs/2.4/mod/core.html#location

(found it, eventually...)

nd
-- 
"Umfassendes Werk (auch fuer Umsteiger vom Apache 1.3)"
                                          -- aus einer Rezension

<http://pub.perlig.de/books.html#apache2>

Mime
View raw message