You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by co...@apache.org on 2003/01/23 22:34:14 UTC
cvs commit: httpd-2.0/server core.c request.c util.c
coar 2003/01/23 13:34:14
Modified: include ap_mmn.h http_core.h httpd.h
server core.c request.c util.c
Log:
here we go. add a directive that will keep %2f from being
decoded into '/', allowing the *_walk to do their magic and
return 404 if it's in the path, and allowing it in the path-info.
Revision Changes Path
1.53 +2 -1 httpd-2.0/include/ap_mmn.h
Index: ap_mmn.h
===================================================================
RCS file: /home/cvs/httpd-2.0/include/ap_mmn.h,v
retrieving revision 1.52
retrieving revision 1.53
diff -u -u -r1.52 -r1.53
--- ap_mmn.h 3 Sep 2002 23:39:43 -0000 1.52
+++ ap_mmn.h 23 Jan 2003 21:34:12 -0000 1.53
@@ -111,6 +111,7 @@
* 20020625 (2.0.40-dev) Changed conn_rec->keepalive to an enumeration
* 20020628 (2.0.40-dev) Added filter_init to filter registration functions
* 20020903 (2.0.41-dev) APR's error constants changed
+ * 20020903.1 (2.0.44-dev) allow_encoded_slashes added to core_dir_config
*/
#define MODULE_MAGIC_COOKIE 0x41503230UL /* "AP20" */
@@ -118,7 +119,7 @@
#ifndef MODULE_MAGIC_NUMBER_MAJOR
#define MODULE_MAGIC_NUMBER_MAJOR 20020903
#endif
-#define MODULE_MAGIC_NUMBER_MINOR 0 /* 0...n */
+#define MODULE_MAGIC_NUMBER_MINOR 1 /* 0...n */
/**
* Determine if the server's current MODULE_MAGIC_NUMBER is at least a
1.73 +2 -1 httpd-2.0/include/http_core.h
Index: http_core.h
===================================================================
RCS file: /home/cvs/httpd-2.0/include/http_core.h,v
retrieving revision 1.72
retrieving revision 1.73
diff -u -u -r1.72 -r1.73
--- http_core.h 18 Jan 2003 03:37:53 -0000 1.72
+++ http_core.h 23 Jan 2003 21:34:12 -0000 1.73
@@ -537,7 +537,8 @@
#define ENABLE_SENDFILE_ON (1)
#define ENABLE_SENDFILE_UNSET (2)
unsigned int enable_sendfile : 2; /* files in this dir can be mmap'ed */
-
+ unsigned int allow_encoded_slashes : 1; /* URLs may contain %2f w/o being
+ * pitched indiscriminately */
} core_dir_config;
/* Per-server core configuration */
1.193 +7 -1 httpd-2.0/include/httpd.h
Index: httpd.h
===================================================================
RCS file: /home/cvs/httpd-2.0/include/httpd.h,v
retrieving revision 1.192
retrieving revision 1.193
diff -u -u -r1.192 -r1.193
--- httpd.h 18 Jan 2003 03:37:53 -0000 1.192
+++ httpd.h 23 Jan 2003 21:34:13 -0000 1.193
@@ -1309,10 +1309,16 @@
/**
* Unescape a URL
- * @param url The url to unescapte
+ * @param url The url to unescape
* @return 0 on success, non-zero otherwise
*/
AP_DECLARE(int) ap_unescape_url(char *url);
+/**
+ * Unescape a URL, but leaving %2f (slashes) escaped
+ * @param url The url to unescape
+ * @return 0 on success, non-zero otherwise
+ */
+AP_DECLARE(int) ap_unescape_url_keep2f(char *url);
/**
* Convert all double slashes to single slashes
* @param name The string to convert
1.230 +18 -0 httpd-2.0/server/core.c
Index: core.c
===================================================================
RCS file: /home/cvs/httpd-2.0/server/core.c,v
retrieving revision 1.229
retrieving revision 1.230
diff -u -u -r1.229 -r1.230
--- core.c 18 Jan 2003 03:37:54 -0000 1.229
+++ core.c 23 Jan 2003 21:34:13 -0000 1.230
@@ -180,6 +180,7 @@
conf->enable_mmap = ENABLE_MMAP_UNSET;
conf->enable_sendfile = ENABLE_SENDFILE_UNSET;
+ conf->allow_encoded_slashes = 0;
return (void *)conf;
}
@@ -446,6 +447,8 @@
conf->enable_sendfile = new->enable_sendfile;
}
+ conf->allow_encoded_slashes = new->allow_encoded_slashes;
+
return (void*)conf;
}
@@ -2066,6 +2069,19 @@
return NULL;
}
+static const char *set_allow2f(cmd_parms *cmd, void *d_, int arg)
+{
+ core_dir_config *d = d_;
+ const char *err = ap_check_cmd_context(cmd, NOT_IN_LIMIT);
+
+ if (err != NULL) {
+ return err;
+ }
+
+ d->allow_encoded_slashes = arg != 0;
+ return NULL;
+}
+
static const char *set_hostname_lookups(cmd_parms *cmd, void *d_,
const char *arg)
{
@@ -3054,6 +3070,8 @@
AP_INIT_ITERATE2("AddOutputFilterByType", add_ct_output_filters,
(void *)APR_OFFSETOF(core_dir_config, ct_output_filters), OR_FILEINFO,
"output filter name followed by one or more content-types"),
+AP_INIT_FLAG("AllowEncodedSlashes", set_allow2f, NULL, RSRC_CONF,
+ "Allow URLs containing '/' encoded as '%2F'"),
/*
* These are default configuration directives that mpms can/should
1.123 +14 -5 httpd-2.0/server/request.c
Index: request.c
===================================================================
RCS file: /home/cvs/httpd-2.0/server/request.c,v
retrieving revision 1.122
retrieving revision 1.123
diff -u -u -r1.122 -r1.123
--- request.c 12 Dec 2002 07:05:54 -0000 1.122
+++ request.c 23 Jan 2003 21:34:13 -0000 1.123
@@ -147,13 +147,22 @@
/* Ignore embedded %2F's in path for proxy requests */
if (!r->proxyreq && r->parsed_uri.path) {
- access_status = ap_unescape_url(r->parsed_uri.path);
+ core_dir_config *d;
+ d = ap_get_module_config(r->per_dir_config, &core_module);
+ if (d->allow_encoded_slashes) {
+ access_status = ap_unescape_url_keep2f(r->parsed_uri.path);
+ }
+ else {
+ access_status = ap_unescape_url(r->parsed_uri.path);
+ }
if (access_status) {
if (access_status == HTTP_NOT_FOUND) {
- ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
- "found %%2f (encoded '/') in URI "
- "(decoded='%s'), returning 404",
- r->parsed_uri.path);
+ if (! d->allow_encoded_slashes) {
+ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
+ "found %%2f (encoded '/') in URI "
+ "(decoded='%s'), returning 404",
+ r->parsed_uri.path);
+ }
}
return access_status;
}
1.135 +51 -0 httpd-2.0/server/util.c
Index: util.c
===================================================================
RCS file: /home/cvs/httpd-2.0/server/util.c,v
retrieving revision 1.134
retrieving revision 1.135
diff -u -u -r1.134 -r1.135
--- util.c 8 Dec 2002 21:05:57 -0000 1.134
+++ util.c 23 Jan 2003 21:34:13 -0000 1.135
@@ -1595,6 +1595,57 @@
return OK;
}
+AP_DECLARE(int) ap_unescape_url_keep2f(char *url)
+{
+ register int badesc, badpath;
+ char *x, *y;
+
+ badesc = 0;
+ badpath = 0;
+ /* Initial scan for first '%'. Don't bother writing values before
+ * seeing a '%' */
+ y = strchr(url, '%');
+ if (y == NULL) {
+ return OK;
+ }
+ for (x = y; *y; ++x, ++y) {
+ if (*y != '%') {
+ *x = *y;
+ }
+ else {
+ if (!apr_isxdigit(*(y + 1)) || !apr_isxdigit(*(y + 2))) {
+ badesc = 1;
+ *x = '%';
+ }
+ else {
+ char decoded;
+ decoded = x2c(y + 1);
+ if (IS_SLASH(decoded)) {
+ *x++ = *y++;
+ *x = *y;
+ }
+ else {
+ *x = decoded;
+ y += 2;
+ if (decoded == '\0') {
+ badpath = 1;
+ }
+ }
+ }
+ }
+ }
+ *x = '\0';
+ if (badesc) {
+ return HTTP_BAD_REQUEST;
+ }
+ else if (badpath) {
+ return HTTP_NOT_FOUND;
+ }
+ else {
+ return OK;
+ }
+}
+
AP_DECLARE(char *) ap_construct_server(apr_pool_t *p, const char *hostname,
apr_port_t port, const request_rec *r)
{
Re: cvs commit: httpd-2.0/server core.c request.c util.c
Posted by André Malo <nd...@perlig.de>.
* Justin Erenkrantz wrote:
> --On Friday, January 24, 2003 00:11:22 +0100 André Malo <nd...@perlig.de>
> wrote:
>
>>> + * 20020903.1 (2.0.44-dev) allow_encoded_slashes added to
>>> core_dir_config
>>
>> This should now be 2.0.45-dev, shouldn't it?
>
> 2.1.0-dev. -- justin
*err* yes ...
nd
--
die (eval q-qq:Just Another Perl Hacker
:-)
# André Malo, <http://www.perlig.de/> #
Re: cvs commit: httpd-2.0/server core.c request.c util.c
Posted by Justin Erenkrantz <je...@apache.org>.
--On Friday, January 24, 2003 00:11:22 +0100 André Malo <nd...@perlig.de>
wrote:
>> + * 20020903.1 (2.0.44-dev) allow_encoded_slashes added to
>> core_dir_config
>
> This should now be 2.0.45-dev, shouldn't it?
2.1.0-dev. -- justin
Re: cvs commit: httpd-2.0/server core.c request.c util.c
Posted by André Malo <nd...@perlig.de>.
* coar@apache.org wrote:
> Index: ap_mmn.h
> ===================================================================
> RCS file: /home/cvs/httpd-2.0/include/ap_mmn.h,v
> retrieving revision 1.52
> retrieving revision 1.53
> diff -u -u -r1.52 -r1.53
> --- ap_mmn.h 3 Sep 2002 23:39:43 -0000 1.52
> +++ ap_mmn.h 23 Jan 2003 21:34:12 -0000 1.53
> @@ -111,6 +111,7 @@
> * 20020625 (2.0.40-dev) Changed conn_rec->keepalive to an enumeration
> * 20020628 (2.0.40-dev) Added filter_init to filter registration functions
> * 20020903 (2.0.41-dev) APR's error constants changed
> + * 20020903.1 (2.0.44-dev) allow_encoded_slashes added to core_dir_config
This should now be 2.0.45-dev, shouldn't it?
nd
--
$_=q?tvc!uif)%*|#Bopuifs!A`#~tvc!Xibu)%*|qsjou#Kvtu!A`#~tvc!KBQI!)*|~
tvc!ifmm)%*|#Qfsm!A`#~tvc!jt)%*|(Ibdlfs(~ # What the hell is JAPH? ;
@_=split/\s\s+#/;$_=(join''=>map{chr(ord( # André Malo ;
$_)-1)}split//=>$_[0]).$_[1];s s.*s$_see; # http://www.perlig.de/ ;
Re: cvs commit: httpd-2.0/server core.c request.c util.c
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
At 12:57 PM 3/19/2003, William A. Rowe, Jr. wrote:
>It would be best if we unparsed and tracked the offsets in the source and
>unescaped query strings of individual components (scheme, user, host,
>path, path_info and query). We could do something as simple as counting
>the number of slashes in the source and target paths, and failing only when
>those two components mismatch.
Whoh...
This would be even more cool for Win32. Folks abusing backslashes
for slashes in the 'real path' could be caught (our dir_walk is twisting those
backslashes into slashes, but we rejected those backslashes long before
we got that far.) But backslashes would become legit in the path_info
and query args on Win32.
This last (most sophisticated) solution fixes even more problems
than I originally thought. Counting slashes could be very cool.
Bill
Re: cvs commit: httpd-2.0/server core.c request.c util.c
Posted by Rodent of Unusual Size <Ke...@Golux.Com>.
Rodent of Unusual Size wrote:
> William A. Rowe, Jr. wrote:
>
>> And what is the impact of this patch on proxies and using mod_rewrite
>> to proxy certain URIs?
>
> i will investigate. i'm tempted to consider this a piece
> of rope, however, and as long as it doesn't open any security
> exposures, caveat emptor.
actually, it should have *no* effect on proxying. note that
it only happens inside a block starting with
> if (!r->proxyreq && r->parsed_uri.path) {
--
#ken P-)}
Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/
Author, developer, opinionist http://Apache-Server.Com/
"Millennium hand and shrimp!"
Re: cvs commit: httpd-2.0/server core.c request.c util.c
Posted by Rodent of Unusual Size <Ke...@Golux.Com>.
William A. Rowe, Jr. wrote:
>
> The configuration and context below seems odd to me;
:
> You haven't resolved any <Directory>, <Files>, <Locations> etc in the
> code fragment above... it's too early in the request processing cycle.
> It seems this should not be a dir_conf flag, but actually a server_conf flag
> since your patch only resolves the directive relative to a given server.
that's right, i didn't. as explained earlier, this is currently
RSRC_CONF, which means it *can't* appear in any of those containers,
so that point is moot. that makes it essentially server-scope --
but by treating it as per-dir now, we don't need to shift from
per-server to per-dir when we have a more finely grained solution.
> And what is the impact of this patch on proxies and using mod_rewrite
> to proxy certain URIs?
i will investigate. i'm tempted to consider this a piece
of rope, however, and as long as it doesn't open any security
exposures, caveat emptor.
> It would be best if we unparsed and tracked the offsets in the source and
> unescaped query strings of individual components (scheme, user, host,
> path, path_info and query). We could do something as simple as counting
> the number of slashes in the source and target paths, and failing only when
> those two components mismatch.
this has been mentioned several times as a 'gee, it would be
nice.' unfortunately, it is also a major hassle due to all the
rewriting potential, et cetera. it's definitely for later.
--
#ken P-)}
Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/
Author, developer, opinionist http://Apache-Server.Com/
"Millennium hand and shrimp!"
Re: cvs commit: httpd-2.0/server core.c request.c util.c
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
>coar 2003/01/23 13:34:14
>
> Modified: include ap_mmn.h http_core.h httpd.h
> server core.c request.c util.c
> Log:
> here we go. add a directive that will keep %2f from being
> decoded into '/', allowing the *_walk to do their magic and
> return 404 if it's in the path, and allowing it in the path-info.
The configuration and context below seems odd to me;
> --- core.c 18 Jan 2003 03:37:54 -0000 1.229
> +++ core.c 23 Jan 2003 21:34:13 -0000 1.230
> @@ -3054,6 +3070,8 @@
> AP_INIT_ITERATE2("AddOutputFilterByType", add_ct_output_filters,
> (void *)APR_OFFSETOF(core_dir_config, ct_output_filters), OR_FILEINFO,
> "output filter name followed by one or more content-types"),
> +AP_INIT_FLAG("AllowEncodedSlashes", set_allow2f, NULL, RSRC_CONF,
> + "Allow URLs containing '/' encoded as '%2F'"),
>
> --- request.c 12 Dec 2002 07:05:54 -0000 1.122
> +++ request.c 23 Jan 2003 21:34:13 -0000 1.123
> @@ -147,13 +147,22 @@
>
> /* Ignore embedded %2F's in path for proxy requests */
> if (!r->proxyreq && r->parsed_uri.path) {
> - access_status = ap_unescape_url(r->parsed_uri.path);
> + core_dir_config *d;
> + d = ap_get_module_config(r->per_dir_config, &core_module);
> + if (d->allow_encoded_slashes) {
> + access_status = ap_unescape_url_keep2f(r->parsed_uri.path);
> + }
> + else {
> + access_status = ap_unescape_url(r->parsed_uri.path);
> + }
You haven't resolved any <Directory>, <Files>, <Locations> etc in the
code fragment above... it's too early in the request processing cycle.
It seems this should not be a dir_conf flag, but actually a server_conf flag
since your patch only resolves the directive relative to a given server.
Does this make sense?
And what is the impact of this patch on proxies and using mod_rewrite
to proxy certain URIs? It seems folks have %2f's popping up more and
more often in their query args - and we have a number of much more
pressing bugs that the query /foo?answer=yes%2fno would be discarded.
Usually, path_info is under the web developer's control - but the query
string is rarely in our control, but the users/browsers' control.
I'm afraid that the proxied flavor of this would result in ?answer=yes%2fno
which would be re-escaped to the backend server or redirect as something
like ?answer=yes%252fno which would be a real problem.
It would be good to come up with a schema where the unparse/parse would
actually be their reciprocals.
It would be better if unparse/parse would respect the query_args and be
just a little more tolerant of %2f once the path is complete and the query
string begins.
It would be best if we unparsed and tracked the offsets in the source and
unescaped query strings of individual components (scheme, user, host,
path, path_info and query). We could do something as simple as counting
the number of slashes in the source and target paths, and failing only when
those two components mismatch.
Bill