You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@apr.apache.org by bu...@apache.org on 2013/07/23 14:15:09 UTC

[Bug 55299] New: apr_uri_parse("login?src=http://www.apache.org") aborts with APR_EGENERAL

https://issues.apache.org/bugzilla/show_bug.cgi?id=55299

            Bug ID: 55299
           Summary: apr_uri_parse("login?src=http://www.apache.org")
                    aborts with APR_EGENERAL
           Product: APR
           Version: HEAD
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: APR
          Assignee: bugs@apr.apache.org
          Reporter: mweb@gmx.ch

Created attachment 30616
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=30616&action=edit
Patch for apr

The apr_uri_parse failes ot recognise a valid URL like this:

  login?src=http://www.apache.org

It returns APR_EGENERAL since it found a colon before the first slash.

I added tests for this scenario and fixed the check.

The problem can be found within TRUNK of APR and within apr-util/branches/1.5.x

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org

[Bug 55299] apr_uri_parse("login?src=http://www.apache.org") aborts with APR_EGENERAL

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=55299

--- Comment #4 from Joe Orton <jo...@redhat.com> ---
Nick is right, that is not a valid URI even by RFC 3986.   It is a valid
URI-reference.  I am not sure if apr_uri_parse() attempts to handle all valid
URI-reference strings, however, the API only says "URI".

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org

[Bug 55299] apr_uri_parse("login?src=http://www.apache.org") aborts with APR_EGENERAL

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=55299

--- Comment #5 from Mathias Weber <mw...@gmx.ch> ---
(In reply to Nick Kew from comment #3)
> Aha.  I was referencing RFC 2396, which is what apr_uri implements.  It's
> been quite a while since it's had more than small, incremental updates or
> fixes.
> 

There is already a reference to RFC 3986 within the code. The change with the
reference to the RFC 3986 broke my Apache Plugin as this change came to the
Apache 2.2

> Your report and reference to RFC changes leads me to think a more extensive
> review in the light of RFC changes might be overdue.  Do you know if there's
> a quick reference / cheat-sheet describing changes to the RFC?

This might be a good Idea but I haven't seen a quick reference / cheat-sheet
with the differences.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org

[Bug 55299] apr_uri_parse("login?src=http://www.apache.org") aborts with APR_EGENERAL

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=55299

Mathias Weber <mw...@gmx.ch> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEEDINFO                    |NEW

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org

[Bug 55299] apr_uri_parse("login?src=http://www.apache.org") aborts with APR_EGENERAL

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=55299

--- Comment #6 from Mathias Weber <mw...@gmx.ch> ---
(In reply to Joe Orton from comment #4)
> Nick is right, that is not a valid URI even by RFC 3986.   It is a valid
> URI-reference.  I am not sure if apr_uri_parse() attempts to handle all
> valid URI-reference strings, however, the API only says "URI".

Actually it is a valid URI. The apr_uri_parse must not try to parse an URI
within a query but it should actually allow all valid characters for the query
and not fail just because the colon character for example is not valid within
the URI but would be allowed within the query part.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org

[Bug 55299] apr_uri_parse("login?src=http://www.apache.org") aborts with APR_EGENERAL

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=55299

--- Comment #3 from Nick Kew <ni...@webthing.com> ---
Aha.  I was referencing RFC 2396, which is what apr_uri implements.  It's been
quite a while since it's had more than small, incremental updates or fixes.

Your report and reference to RFC changes leads me to think a more extensive
review in the light of RFC changes might be overdue.  Do you know if there's a
quick reference / cheat-sheet describing changes to the RFC?

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org

[Bug 55299] apr_uri_parse("login?src=http://www.apache.org") aborts with APR_EGENERAL

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=55299

Nick Kew <ni...@webthing.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO

--- Comment #1 from Nick Kew <ni...@webthing.com> ---
How is this a valid URI?  At first glance, it would seem:

1. The ? is reserved, and marks "src=http://www.apache.org" as a query
component.
2. But within a query component, ':' and '/' are reserved and must be escaped.
3. Therefore this is not a valid URI.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org

[Bug 55299] apr_uri_parse("login?src=http://www.apache.org") aborts with APR_EGENERAL

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=55299

--- Comment #2 from Mathias Weber <mw...@gmx.ch> ---
According to the RFC 3986 it is possible to have a : or a / within the query
parameter. See RFC 3986 3.4.

Here is the copy of the definition of the query:

   pchar         = unreserved / pct-encoded / sub-delims / ":" / "@"

   query         = *( pchar / "/" / "?" )

   unreserved    = ALPHA / DIGIT / "-" / "." / "_" / "~"
   sub-delims    = "!" / "$" / "&" / "'" / "(" / ")"
                 / "*" / "+" / "," / ";" / "="

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org