You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2017/06/26 17:45:23 UTC

svn commit: r1799965 - in /httpd/httpd/trunk: CHANGES server/request.c

Author: wrowe
Date: Mon Jun 26 17:45:23 2017
New Revision: 1799965

URL: http://svn.apache.org/viewvc?rev=1799965&view=rev
Log:
Revert misguided commit r1799731.

Discussion on-list, but any occurance of a platform-specific behavior in this
code path will alter the behavior of the core code and introduce the very
fingerprintable behavior this patch pretended to obscuficate.

Returning 404 for /CON for example may lead to a module such as mod_speling
revealing the existance of a real file named similar to /.conf, which makes
this an unwise behavior.

Further discussion of returning 404 for all CHR files encountered in the
filepath (not URI path), which currently return 403 on all platforms,
belongs on the dev list.




Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/server/request.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1799965&r1=1799964&r2=1799965&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Mon Jun 26 17:45:23 2017
@@ -5,10 +5,6 @@ Changes with Apache 2.5.0
      This is a regression in 2.4.24 (unreleased), 2.4.25 and 2.4.26.
      PR 61207. [Christophe Jaillet]
 
-  *) core: Send a 404 response like other OSs do instead of 403 on Windows
-     when a path segment or file requested uses a reserved word so Windows
-     cannot be fingerprinted. PR55887 [Gregg Smith]
-
   *) mod_rewrite: Add 'RewriteOptions LongURLOptimization' to free memory
      from each set of unmatched rewrite conditions.
      [Eric Covener]

Modified: httpd/httpd/trunk/server/request.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/request.c?rev=1799965&r1=1799964&r2=1799965&view=diff
==============================================================================
--- httpd/httpd/trunk/server/request.c (original)
+++ httpd/httpd/trunk/server/request.c Mon Jun 26 17:45:23 2017
@@ -1211,25 +1211,10 @@ AP_DECLARE(int) ap_directory_walk(reques
                 break;
             }
             else if (thisinfo.filetype != APR_DIR) {
-#ifdef _WIN32
-                ap_regex_t *preg;
-#endif
                 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00038)
                               "Forbidden: %s doesn't point to "
                               "a file or directory",
                               r->filename);
-#ifdef _WIN32
-                /* Windows has a number of reserved words that cannot be used
-                 * as a file or directory name so thisinfo.filetype will
-                 * always be != APR_DIR. Don't allow us be fingerprinted with
-                 * a 403 and instead send a 404 like other OSs would. PR55887
-                 */
-                preg = ap_pregcomp(r->pool,
-               "/(aux|con|com[1-9]|lpt[1-9]|nul|prn)"
-               "($|/|.)", AP_REG_EXTENDED | AP_REG_ICASE);
-                if (ap_regexec(preg, r->uri, 0, NULL, 0) == 0)
-                    return r->status = HTTP_NOT_FOUND;
-#endif
                 return r->status = HTTP_FORBIDDEN;
             }