You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2021/04/13 00:46:53 UTC

[Bug 65238] New: URL slash merging broken

https://bz.apache.org/bugzilla/show_bug.cgi?id=65238

            Bug ID: 65238
           Summary: URL slash merging broken
           Product: Apache httpd-2
           Version: 2.4.39
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: P2
         Component: Core
          Assignee: bugs@httpd.apache.org
          Reporter: calestyo@scientia.net
  Target Milestone: ---

Hey.

When looking at the ambiguities in the documentation for MergeSlashes:
  https://bz.apache.org/bugzilla/show_bug.cgi?id=65073#c1
I've noted that this seems to be more severely broken.

AFAIU before MergeSlashes was added it used to be like that:
- LocationMatch doesn't merge multiple slashes, so one must literally match
them in the pattern, or e.g. use something like /+

- Location (non-regex) does merge multiple slashes, so a patter like "/foo/bar"
will work for a request for "/foo//bar", too.


But it seems this is no longer the case with either MergeSlashes On or Off.

If set On, it work for:
 <Location "/xx/yy">
 request to "/xx/yy"  => match
 request to "/xx//yy" => match
but on can no longer literally match //:
 <LocationMatch "^/xx//yy$">
 request to "/xx/yy"  => no match
 request to "/xx//yy" => no match

If set Off, one can literally match //:
 <LocationMatch "^/xx//yy$">
 request to "/xx/yy"  => no match
 request to "/xx//yy" => match
but then the folding with Location (non-regex) is broken:
 <Location "/xx/yy">
 request to "/xx/yy"  => match
 request to "/xx//yy" => no match


Cheers,
Chris.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 65238] URL slash merging broken

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65238

Eric Covener <co...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #1 from Eric Covener <co...@gmail.com> ---
Thanks for the report. "MergeSlashes OFF" should now act like the historical
default behavior in 2.4.47/2.4.48 and later.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org