Bug 55712 - Relative <!--#include virtual="../file.shtml"--> gets confused by double slashes in request URL
Summary: Relative <!--#include virtual="../file.shtml"--> gets confused by double slas...
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_include (show other bugs)
Version: 2.4.6
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2013-10-28 11:29 UTC by Anders Kaseorg
Modified: 2013-10-28 11:36 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Anders Kaseorg 2013-10-28 11:29:43 UTC

Comment 1 Anders Kaseorg 2013-10-28 11:36:07 UTC
This document at DOCUMENT_ROOT/subdir/index.shtml:

<!--#include virtual="../file.shtml"-->

obviously intends to include DOCUMENT_ROOT/file.shtml, which indeed is what it will do when accessed through http://server/subdir/index.shtml.  However, when accessed through http://server/subdir//index.shtml (with an extra slash), it will instead include DOCUMENT_ROOT/subdir/file.shtml!  This leads to “[an error occurred while processing this directive]” if the latter file doesn’t exist, or the wrong file being included if it does.  (One could perhaps imagine this leading to an information disclosure vulnerability in contrived cases.)

This problem exists as far back as 2.0.40, but it doesn’t seem to exist on a 1.3.x server (that isn’t mine, so I can’t say for sure).