You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Yann Ylavic <yl...@gmail.com> on 2017/06/24 08:55:42 UTC
Re: svn commit: r1799731 - in /httpd/httpd/trunk: CHANGES server/request.c
Hi Gregg,
On Sat, Jun 24, 2017 at 7:49 AM, <gs...@apache.org> wrote:
> Author: gsmith
> Date: Sat Jun 24 05:49:45 2017
> New Revision: 1799731
>
> URL: http://svn.apache.org/viewvc?rev=1799731&view=rev
> Log:
> Send a 404 response like other OSs do instead of 403 on Windows when
> a path segment or file requested uses a reserved word so Windows
> cannot be fingerprinted. PR55887
>
> Modified:
> httpd/httpd/trunk/server/request.c
>
> Modified: httpd/httpd/trunk/server/request.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/request.c?rev=1799731&r1=1799730&r2=1799731&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/server/request.c (original)
> +++ httpd/httpd/trunk/server/request.c Sat Jun 24 05:49:45 2017
> @@ -1211,10 +1211,25 @@ AP_DECLARE(int) ap_directory_walk(reques
> break;
> }
> else if (thisinfo.filetype != APR_DIR) {
> +#ifdef _WIN32
> + ap_regex_t *preg;
> +#endif
> ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00038)
> "Forbidden: %s doesn't point to "
> "a file or directory",
> r->filename);
> +#ifdef _WIN32
> + /* Windows has a number of reserved words that cannot be used
> + * as a file or directory name so thisinfo.filetype will
> + * always be != APR_DIR. Don't allow us be fingerprinted with
> + * a 403 and instead send a 404 like other OSs would. PR55887
> + */
> + preg = ap_pregcomp(r->pool,
> + "/(aux|con|com[1-9]|lpt[1-9]|nul|prn)"
> + "($|/|.)", AP_REG_EXTENDED | AP_REG_ICASE);
Couldn't we compile this regexp once at load time (e.g. a static preg
at pre/post_config)?
> + if (ap_regexec(preg, r->uri, 0, NULL, 0) == 0)
> + return r->status = HTTP_NOT_FOUND;
> +#endif
> return r->status = HTTP_FORBIDDEN;
> }
Regards,
Yann.