Bug 55712 - Relative <!--#include virtual="../file.shtml"--> gets confused by double slashes in request URL
Summary: Relative <!--#include virtual="../file.shtml"--> gets confused by double slas...
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_include (show other bugs)
Version: 2.4.6
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-28 11:29 UTC by Anders Kaseorg
Modified: 2013-10-28 11:36 UTC (History)
0 users


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Anders Kaseorg 2013-10-28 11:29:43 UTC 

    


    


      



        
          Comment 1
        

        
          Anders Kaseorg

        

        
        

        
          2013-10-28 11:36:07 UTC
        

      






This document at DOCUMENT_ROOT/subdir/index.shtml:

<!--#include virtual="../file.shtml"-->

obviously intends to include DOCUMENT_ROOT/file.shtml, which indeed is what it will do when accessed through http://server/subdir/index.shtml.  However, when accessed through http://server/subdir//index.shtml (with an extra slash), it will instead include DOCUMENT_ROOT/subdir/file.shtml!  This leads to “[an error occurred while processing this directive]” if the latter file doesn’t exist, or the wrong file being included if it does.  (One could perhaps imagine this leading to an information disclosure vulnerability in contrived cases.)

This problem exists as far back as 2.0.40, but it doesn’t seem to exist on a 1.3.x server (that isn’t mine, so I can’t say for sure).