Bug 55712

Summary: Relative <!--#include virtual="../file.shtml"--> gets confused by double slashes in request URL
Product: Apache httpd-2 Reporter: Anders Kaseorg <andersk>
Component: mod_includeAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: normal    
Priority: P2    
Version: 2.4.6   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description Anders Kaseorg 2013-10-28 11:29:43 UTC 

    


    


      



        
          Comment 1
        

        
          Anders Kaseorg

        

        
        

        
          2013-10-28 11:36:07 UTC
        

      






This document at DOCUMENT_ROOT/subdir/index.shtml:

<!--#include virtual="../file.shtml"-->

obviously intends to include DOCUMENT_ROOT/file.shtml, which indeed is what it will do when accessed through http://server/subdir/index.shtml.  However, when accessed through http://server/subdir//index.shtml (with an extra slash), it will instead include DOCUMENT_ROOT/subdir/file.shtml!  This leads to “[an error occurred while processing this directive]” if the latter file doesn’t exist, or the wrong file being included if it does.  (One could perhaps imagine this leading to an information disclosure vulnerability in contrived cases.)

This problem exists as far back as 2.0.40, but it doesn’t seem to exist on a 1.3.x server (that isn’t mine, so I can’t say for sure).