You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2003/07/21 20:57:31 UTC
DO NOT REPLY [Bug 21779] New: -
Need to reject malformed href strings send by webdav client
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21779>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21779
Need to reject malformed href strings send by webdav client
Summary: Need to reject malformed href strings send by webdav
client
Product: Apache httpd-2.0
Version: 2.0.47
Platform: Other
OS/Version: Linux
Status: NEW
Severity: Normal
Priority: Other
Component: mod_dav
AssignedTo: bugs@httpd.apache.org
ReportedBy: rgibbons@ccs.carleton.ca
I have encountered two problems in using the Web Folders in XP Pro to
manipulate files hosted on a webdav-enabled webserver. The server is
apache2.0.47 with the mod_dav modules and runs under linux.
The first problem is that XP does not escape the '#' character with
a '%23' as part of the path segment. This is a MicroSoft bug in XP as
the Win2K version seems to be better behaved.
The more serious problem is that the Apache server does not reject such
a request and but processes it with some nasty results.
In the following example, an authorized client/user has DELETE priviledges
on the webdav server. The test file is
called '/websites/davtest/#dav_test.html'
which is a valid filename in linux, unix and MacOS worlds but not in Windows.
When the DELETE submission is made by a Cadaver client or a Win2K client, the
following command is issued to the server
"DELETE /websites/davtest/%23dav_test.html HTTP/1.1"
everything works as it should.
However, when a DELETE submission is made by XP Pro, the server receives
"DELETE /websites/davtest/#23dav_test.html"
which is doesn't escape the # character. The server accepts the command
and proceeds to delete the following
#23dav_test.html
all files in the /davtest directory
the parent directory (davtest).
A server-based solution seems to be in order.
Thanks
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org