Bug 65238 - URL slash merging broken
Summary: URL slash merging broken
Status: RESOLVED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Core (show other bugs)
Version: 2.4.39
Hardware: All All
: P2 major (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-13 00:46 UTC by Christoph Anton Mitterer
Modified: 2021-06-03 12:01 UTC (History)
0 users


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christoph Anton Mitterer 2021-04-13 00:46:53 UTC 
Hey.

When looking at the ambiguities in the documentation for MergeSlashes:
  https://bz.apache.org/bugzilla/show_bug.cgi?id=65073#c1
I've noted that this seems to be more severely broken.

AFAIU before MergeSlashes was added it used to be like that:
- LocationMatch doesn't merge multiple slashes, so one must literally match them in the pattern, or e.g. use something like /+

- Location (non-regex) does merge multiple slashes, so a patter like "/foo/bar" will work for a request for "/foo//bar", too.


But it seems this is no longer the case with either MergeSlashes On or Off.

If set On, it work for:
 <Location "/xx/yy">
 request to "/xx/yy"  => match
 request to "/xx//yy" => match
but on can no longer literally match //:
 <LocationMatch "^/xx//yy$">
 request to "/xx/yy"  => no match
 request to "/xx//yy" => no match

If set Off, one can literally match //:
 <LocationMatch "^/xx//yy$">
 request to "/xx/yy"  => no match
 request to "/xx//yy" => match
but then the folding with Location (non-regex) is broken:
 <Location "/xx/yy">
 request to "/xx/yy"  => match
 request to "/xx//yy" => no match


Cheers,
Chris.
Comment 1 Eric Covener 2021-06-03 12:01:30 UTC 
Thanks for the report. "MergeSlashes OFF" should now act like the historical default behavior in 2.4.47/2.4.48 and later.