diff options
| author | Yann Ylavic <ylavic@apache.org> | 2020-06-22 10:29:27 +0000 |
|---|---|---|
| committer | Yann Ylavic <ylavic@apache.org> | 2020-06-22 10:29:27 +0000 |
| commit | 4c79fd280dfa3eede5a6f3baebc7ef2e55b3eb6a (patch) | |
| tree | b0a2d20a8bdbaef0d868fd2f3bc440ce1add089f /modules/dav | |
| parent | b3f1c802ac5f960b2a19448944569d576a20fa73 (diff) | |
| download | httpd-4c79fd280dfa3eede5a6f3baebc7ef2e55b3eb6a.tar.gz | |
Add ap_normalize_path() to replace ap_getparents() (with options).
include/httpd.h: Declare ap_normalize_path() and flags.
AP_NORMALIZE_ALLOW_RELATIVE:
Don't require that the path be absolute as per RFC 7230.
This is needed for lookup subrequests.
AP_NORMALIZE_NOT_ABOVE_ROOT:
Check that directory traversal ("..") don't go above root, or
initial directory with relative paths.
AP_NORMALIZE_DECODE_UNRESERVED:
Decode unreserved characters (like '.') first since they have
the same semantics encoded and decoded.
AP_NORMALIZE_MERGE_SLASHES:
Merge multiple slahes into a single one.
AP_NORMALIZE_DROP_PARAMETERS:
Ignore path parameters (";foo=bar"). Not used by httpd but since
ap_normalize_path() is taken from mod_jk's jk_servlet_normalize()
it can allow them to use the upstream version now.
server/util.c: Implement ap_normalize_path().
modules/dav/main/util.c: Replace call to ap_getparents() using
ap_normalize_path() with AP_NORMALIZE_DECODE_UNRESERVED flag since
the path comes from an obsolute URL (thus potentially %-encoded).
modules/generators/mod_autoindex.c: Replace call to ap_getparents() using
ap_normalize_path() with AP_NORMALIZE_ALLOW_RELATIVE and
AP_NORMALIZE_NOT_ABOVE_ROOT flags to be consistent with original code.
include/ap_mmn.h: MINOR bump for ap_normalize_path().
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879074 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'modules/dav')
| -rw-r--r-- | modules/dav/main/util.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/modules/dav/main/util.c b/modules/dav/main/util.c index e21f626068..8cf3fe5234 100644 --- a/modules/dav/main/util.c +++ b/modules/dav/main/util.c @@ -664,7 +664,12 @@ static dav_error * dav_process_if_header(request_rec *r, dav_if_header **p_ih) /* note that parsed_uri.path is allocated; we can trash it */ /* clean up the URI a bit */ - ap_getparents(parsed_uri.path); + if (!ap_normalize_path(parsed_uri.path, + AP_NORMALIZE_DECODE_UNRESERVED)) { + return dav_new_error(r->pool, HTTP_BAD_REQUEST, + DAV_ERR_IF_TAGGED, rv, + "Invalid URI path tagged If-header."); + } /* the resources we will compare to have unencoded paths */ if (ap_unescape_url(parsed_uri.path) != OK) { |