Lines 94-99
Link Here
|
94 |
} |
94 |
} |
95 |
} |
95 |
} |
96 |
|
96 |
|
|
|
97 |
static char* merge_escapes(int encoded_slashes, char* encoded_chars, |
98 |
apr_pool_t *p) { |
99 |
char* echars = encoded_slashes ? "\\/" : 0; |
100 |
if (encoded_chars) { |
101 |
echars = echars ? |
102 |
apr_pstrcat(p, echars, encoded_chars) : encoded_chars; |
103 |
} |
104 |
return echars; |
105 |
} |
106 |
|
97 |
/* This is the master logic for processing requests. Do NOT duplicate |
107 |
/* This is the master logic for processing requests. Do NOT duplicate |
98 |
* this logic elsewhere, or the security model will be broken by future |
108 |
* this logic elsewhere, or the security model will be broken by future |
99 |
* API changes. Each phase must be individually optimized to pick up |
109 |
* API changes. Each phase must be individually optimized to pick up |
Lines 106-127
Link Here
|
106 |
|
116 |
|
107 |
/* Ignore embedded %2F's in path for proxy requests */ |
117 |
/* Ignore embedded %2F's in path for proxy requests */ |
108 |
if (!r->proxyreq && r->parsed_uri.path) { |
118 |
if (!r->proxyreq && r->parsed_uri.path) { |
109 |
core_dir_config *d; |
119 |
core_dir_config *d = ap_get_module_config(r->per_dir_config, &core_module); |
110 |
d = ap_get_module_config(r->per_dir_config, &core_module); |
120 |
char* echars = merge_escapes(d->allow_encoded_slashes, |
111 |
if (d->allow_encoded_slashes) { |
121 |
d->allow_encoded_chars, r->pool); |
112 |
access_status = ap_unescape_url_keep2f(r->parsed_uri.path); |
122 |
access_status = ap_unescape_url_keepenc(r->parsed_uri.path, echars); |
113 |
} |
|
|
114 |
else { |
115 |
access_status = ap_unescape_url(r->parsed_uri.path); |
116 |
} |
117 |
if (access_status) { |
123 |
if (access_status) { |
118 |
if (access_status == HTTP_NOT_FOUND) { |
124 |
if (access_status == HTTP_NOT_FOUND) { |
119 |
if (! d->allow_encoded_slashes) { |
125 |
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, |
120 |
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, |
126 |
"found illegal chars %%2f (encoded '/') or \\0 in URI " |
121 |
"found %%2f (encoded '/') in URI " |
127 |
"(decoded='%s'), returning 404", |
122 |
"(decoded='%s'), returning 404", |
128 |
r->parsed_uri.path); |
123 |
r->parsed_uri.path); |
|
|
124 |
} |
125 |
} |
129 |
} |
126 |
return access_status; |
130 |
return access_status; |
127 |
} |
131 |
} |