Bug 57999

Summary: ap_getparents() may remove start slash of uri
Product: Apache httpd-2 Reporter: xudong <httpmonitor>
Component: CoreAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: normal    
Priority: P2    
Version: 2.4.12   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description xudong 2015-06-04 07:26:05 UTC
When I send a request like this:
GET /test/../../etc/passwd HTTP/1.0

Apache will report an error:
AH00126: Invalid URI in request GET /test/../../etc/passwd HTTP/1.0

In file server/request.c line 154
ap_getparents() change r->uri from /test/../../etc/passwd to etc/passwd
and etc/passwd is an invalid uri.