You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2021/04/13 00:46:53 UTC
[Bug 65238] New: URL slash merging broken
https://bz.apache.org/bugzilla/show_bug.cgi?id=65238
Bug ID: 65238
Summary: URL slash merging broken
Product: Apache httpd-2
Version: 2.4.39
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P2
Component: Core
Assignee: bugs@httpd.apache.org
Reporter: calestyo@scientia.net
Target Milestone: ---
Hey.
When looking at the ambiguities in the documentation for MergeSlashes:
https://bz.apache.org/bugzilla/show_bug.cgi?id=65073#c1
I've noted that this seems to be more severely broken.
AFAIU before MergeSlashes was added it used to be like that:
- LocationMatch doesn't merge multiple slashes, so one must literally match
them in the pattern, or e.g. use something like /+
- Location (non-regex) does merge multiple slashes, so a patter like "/foo/bar"
will work for a request for "/foo//bar", too.
But it seems this is no longer the case with either MergeSlashes On or Off.
If set On, it work for:
<Location "/xx/yy">
request to "/xx/yy" => match
request to "/xx//yy" => match
but on can no longer literally match //:
<LocationMatch "^/xx//yy$">
request to "/xx/yy" => no match
request to "/xx//yy" => no match
If set Off, one can literally match //:
<LocationMatch "^/xx//yy$">
request to "/xx/yy" => no match
request to "/xx//yy" => match
but then the folding with Location (non-regex) is broken:
<Location "/xx/yy">
request to "/xx/yy" => match
request to "/xx//yy" => no match
Cheers,
Chris.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 65238] URL slash merging broken
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65238
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #1 from Eric Covener <co...@gmail.com> ---
Thanks for the report. "MergeSlashes OFF" should now act like the historical
default behavior in 2.4.47/2.4.48 and later.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org