You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Ian Holsman <ia...@apache.org> on 2002/03/19 19:56:35 UTC

moving gen_test_char from server/ to apr-util/

any objections ?
if we do this we can move some other functions which are generic into 
apr-util.

ap_escape_os_path for example

..Ian

Re: moving gen_test_char from server/ to apr-util/

Posted by Greg Stein <gs...@lyra.org>.

On Tue, Mar 19, 2002 at 08:41:11PM +0100, Sander Striker wrote:
> > From: William A. Rowe, Jr. [mailto:wrowe@rowe-clan.net]
> > Sent: 19 April 2002 20:31
> 
> > At 01:56 PM 3/19/2002, you wrote:
> > >any objections ?
> > >if we do this we can move some other functions which are generic into 
> > >apr-util.

+1

> > >ap_escape_os_path for example
> > 
> > That example should move to apr (associated with apr_proc_create),
> > not apr-util.  Other uses of gen_test_char should move to apr-util [the
> > many escape patterns of http, rfc822 encoding, etc.]

There should never be a need to escape an OS path, which would obviate any
need to move to APR. If we need to escape an OS path, then that means we're
leaking an OS path (i.e. security issue).

About the only place that I can think an OS path would be leaked is in
mod_info or somesuch. But even then, that would be *HTML* escape, not URI
escaping. And those are entirely different.

> Well, the function I'd really like to move is ap_escape_uri.  That
> is simply a macro that calls ap_escape_os_path.

And that macro is *WRONG*. Operating system paths are not the same as URI
paths, and there should be two separate functions to do the escaping.

As a matter of fact, there have been observed problems with the incorrect
URI escaping because of that macro overlay.

> It would be nice if we could have all the uri manipulation stuff
> in apr-util.

I absolutely agree.

Cheers,
-g

-- 
Greg Stein, http://www.lyra.org/

Re: moving gen_test_char from server/ to apr-util/

Posted by Greg Stein <gs...@lyra.org>.

On Tue, Mar 19, 2002 at 08:41:11PM +0100, Sander Striker wrote:
> > From: William A. Rowe, Jr. [mailto:wrowe@rowe-clan.net]
> > Sent: 19 April 2002 20:31
> 
> > At 01:56 PM 3/19/2002, you wrote:
> > >any objections ?
> > >if we do this we can move some other functions which are generic into 
> > >apr-util.

+1

> > >ap_escape_os_path for example
> > 
> > That example should move to apr (associated with apr_proc_create),
> > not apr-util.  Other uses of gen_test_char should move to apr-util [the
> > many escape patterns of http, rfc822 encoding, etc.]

There should never be a need to escape an OS path, which would obviate any
need to move to APR. If we need to escape an OS path, then that means we're
leaking an OS path (i.e. security issue).

About the only place that I can think an OS path would be leaked is in
mod_info or somesuch. But even then, that would be *HTML* escape, not URI
escaping. And those are entirely different.

> Well, the function I'd really like to move is ap_escape_uri.  That
> is simply a macro that calls ap_escape_os_path.

And that macro is *WRONG*. Operating system paths are not the same as URI
paths, and there should be two separate functions to do the escaping.

As a matter of fact, there have been observed problems with the incorrect
URI escaping because of that macro overlay.

> It would be nice if we could have all the uri manipulation stuff
> in apr-util.

I absolutely agree.

Cheers,
-g

-- 
Greg Stein, http://www.lyra.org/

RE: moving gen_test_char from server/ to apr-util/

Posted by Sander Striker <st...@apache.org>.

> From: William A. Rowe, Jr. [mailto:wrowe@rowe-clan.net]
> Sent: 19 April 2002 20:31

> At 01:56 PM 3/19/2002, you wrote:
> >any objections ?
> >if we do this we can move some other functions which are generic into 
> >apr-util.
> >
> >ap_escape_os_path for example
> 
> That example should move to apr (associated with apr_proc_create),
> not apr-util.  Other uses of gen_test_char should move to apr-util [the
> many escape patterns of http, rfc822 encoding, etc.]

Well, the function I'd really like to move is ap_escape_uri.  That
is simply a macro that calls ap_escape_os_path.

It would be nice if we could have all the uri manipulation stuff
in apr-util.

Sander

RE: moving gen_test_char from server/ to apr-util/

Posted by Sander Striker <st...@apache.org>.

> From: William A. Rowe, Jr. [mailto:wrowe@rowe-clan.net]
> Sent: 19 April 2002 20:31

> At 01:56 PM 3/19/2002, you wrote:
> >any objections ?
> >if we do this we can move some other functions which are generic into 
> >apr-util.
> >
> >ap_escape_os_path for example
> 
> That example should move to apr (associated with apr_proc_create),
> not apr-util.  Other uses of gen_test_char should move to apr-util [the
> many escape patterns of http, rfc822 encoding, etc.]

Well, the function I'd really like to move is ap_escape_uri.  That
is simply a macro that calls ap_escape_os_path.

It would be nice if we could have all the uri manipulation stuff
in apr-util.

Sander

Re: moving gen_test_char from server/ to apr-util/

Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.

At 01:56 PM 3/19/2002, you wrote:
>any objections ?
>if we do this we can move some other functions which are generic into 
>apr-util.
>
>ap_escape_os_path for example

That example should move to apr (associated with apr_proc_create),
not apr-util.  Other uses of gen_test_char should move to apr-util [the
many escape patterns of http, rfc822 encoding, etc.]

Re: moving gen_test_char from server/ to apr-util/

Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.

At 01:56 PM 3/19/2002, you wrote:
>any objections ?
>if we do this we can move some other functions which are generic into 
>apr-util.
>
>ap_escape_os_path for example

That example should move to apr (associated with apr_proc_create),
not apr-util.  Other uses of gen_test_char should move to apr-util [the
many escape patterns of http, rfc822 encoding, etc.]