Bug 55712

Summary: Relative <!--#include virtual="../file.shtml"--> gets confused by double slashes in request URL
Product: Apache httpd-2 Reporter: Anders Kaseorg <andersk>
Component: mod_includeAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: normal    
Priority: P2    
Version: 2.4.6   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description Anders Kaseorg 2013-10-28 11:29:43 UTC

Comment 1 Anders Kaseorg 2013-10-28 11:36:07 UTC
This document at DOCUMENT_ROOT/subdir/index.shtml:

<!--#include virtual="../file.shtml"-->

obviously intends to include DOCUMENT_ROOT/file.shtml, which indeed is what it will do when accessed through http://server/subdir/index.shtml.  However, when accessed through http://server/subdir//index.shtml (with an extra slash), it will instead include DOCUMENT_ROOT/subdir/file.shtml!  This leads to “[an error occurred while processing this directive]” if the latter file doesn’t exist, or the wrong file being included if it does.  (One could perhaps imagine this leading to an information disclosure vulnerability in contrived cases.)

This problem exists as far back as 2.0.40, but it doesn’t seem to exist on a 1.3.x server (that isn’t mine, so I can’t say for sure).