Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 5B6AF174B8 for ; Fri, 1 May 2015 15:53:48 +0000 (UTC) Received: (qmail 88295 invoked by uid 500); 1 May 2015 15:53:47 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 88210 invoked by uid 500); 1 May 2015 15:53:47 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 88200 invoked by uid 99); 1 May 2015 15:53:47 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 May 2015 15:53:47 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: message received from 54.76.25.247 which is an MX secondary for dev@httpd.apache.org) Received: from [54.76.25.247] (HELO mx1-eu-west.apache.org) (54.76.25.247) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 May 2015 15:53:23 +0000 Received: from jupiter.hal-nine-zero-zero-zero.net (jupiter.hal-nine-zero-zero-zero.net [212.227.252.63]) by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with SMTP id 9E75F2D22C for ; Fri, 1 May 2015 15:52:52 +0000 (UTC) Received: (qmail 17069 invoked from network); 1 May 2015 15:50:57 -0000 Received: from unknown (HELO localhost) (212.227.252.63) by jupiter.hal-nine-zero-zero-zero.net with SMTP; 1 May 2015 15:50:57 -0000 From: =?iso-8859-1?q?Andr=E9_Malo?= Organization: TIMTOWTDI To: dev@httpd.apache.org Subject: Re: *Match, RewriteRule POLA violation? Date: Fri, 1 May 2015 17:52:45 +0200 User-Agent: KMail/1.9.10 References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <201505011752.45430@news.perlig.de> X-Virus-Checked: Checked by ClamAV on apache.org * Niklas Edmundsson wrote: > On Thu, 30 Apr 2015, Yann Ylavic wrote: > > On Thu, Apr 30, 2015 at 2:57 PM, Jim Riggs wrote: > >> Thanks, Yann. I remember looking at this code before. The question > >> remains, though: Is it currently "wrong"? Does it need to be "fixed", > >> or was this distinction made intentionally? Is there a specific use > >> case that requires the regex-matching directives to not get > >> slash-normalized URIs? > > > > I would like it to be fixed, non leading "/+" is equivalent to "/", > > this would break very few (if any) cases IMHO, and may even unbreak > > more ones . > > +1 > > I would expect Location and LocationMatch using the same uri for > comparison. Hmm, that assumption is wrong by definition. Location always matches a prefix (a part of a parsed/unparsed url), while LocationMatch always matches the complete URL. > I would actually go so far as the current state might > warrant a CVE for being a hidden security risk that might cause > inadvertent information exposure. It *is* documented right here, btw: http://httpd.apache.org/docs/2.4/mod/core.html#location (found it, eventually...) nd -- "Umfassendes Werk (auch fuer Umsteiger vom Apache 1.3)" -- aus einer Rezension