You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2003/07/21 20:57:31 UTC

DO NOT REPLY [Bug 21779] New: - Need to reject malformed href strings send by webdav client

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21779>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21779

Need to reject malformed href strings send by webdav client

           Summary: Need to reject malformed href strings send by webdav
                    client
           Product: Apache httpd-2.0
           Version: 2.0.47
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: mod_dav
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: rgibbons@ccs.carleton.ca


I have encountered two problems in using the Web Folders in XP Pro to
manipulate files hosted on a webdav-enabled webserver.  The server is
apache2.0.47 with the mod_dav modules and runs under linux.

The first problem is that XP does not escape the '#' character with
a '%23' as part of the path segment.  This is a MicroSoft bug in XP as
the Win2K version seems to be better behaved.

The more serious problem is that the Apache server does not reject such
a request and but processes it with some nasty results.

In the following example, an authorized client/user has DELETE priviledges
on the webdav server.  The test file is 
called '/websites/davtest/#dav_test.html'
which is a valid filename in linux, unix and MacOS worlds but not in Windows.

When the DELETE submission is made by a Cadaver client or a Win2K client, the
following command is issued to the server
    "DELETE /websites/davtest/%23dav_test.html HTTP/1.1"
everything works as it should.

However, when a DELETE submission is made by XP Pro, the server receives
    "DELETE /websites/davtest/#23dav_test.html"
which is doesn't escape the # character.  The server accepts the command
and proceeds to delete the following
    #23dav_test.html
    all files in the /davtest directory
    the parent directory (davtest).

A server-based solution seems to be in order.

Thanks

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org