66372 – Ambiguous and undocumented syntax of quoted strings

Bug 66372 - Ambiguous and undocumented syntax of quoted strings

Summary: Ambiguous and undocumented syntax of quoted strings

Status:	NEW

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	Runtime Config (show other bugs)
Version:	2.4.54
Hardware:	PC Linux

Importance:	P2 minor (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-12-02 04:12 UTC by Walf
Modified:	2022-12-02 04:12 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Walf 2022-12-02 04:12:26 UTC

https://httpd.apache.org/docs/trunk/configuring.html#syntax says only "Arguments to directives are separated by whitespace. If an argument contains spaces, you must enclose that argument in quotes."

It does not specify whether this means double and/or single, that backslash is used as the escape character, nor any rules about escaping. I did some testing and also noticed some odd behaviour. I added the following test config to the default htdocs <Directory>:

    "Header""always""set""X-Space-Check""Wut"
    Header always set Content-Disposition "inline; filename=\"I can't believe it's not header!.html\""
    Header always set Arbitrary-Data "//\\/\/\\"
    Header always set Expr-Test-Single passed "expr=%{REQUEST_URI} =~ /[a-z]\.h/"
    Header always set Expr-Test-Double passed "expr=%{REQUEST_URI} =~ /[a-z]\\.h/"    AllowOverride All
    RewriteEngine On
    RewriteRule ^x\.html$ index.html [END]
    RewriteRule "^y\.html$" index.html [END]
    "RewriteRule""^z\.html$""index.html""[END]"
    "RewriteRule" "^p\\.html$" "index.html" "[END]"
    #"RewriteRule" "^q\".html$" "index.html" "[END]"
    #"RewriteRule" "^r\\\".html$" "index.html" "[END]"

All headers were set.

The first directive indicates that whitespace between quoted params is ignored, contrary to the docs. I was checking  whether repeated delimiters could be used as an escape method. It'd be simpler, but the current behaviour would make that a backwards-compatibility breakage.

The third line indicates the backslash is passed through if not escaping another, or a delimiter, because it outputs this:
Arbitrary-Data: //\/\/\

Likewise, the expr= tests both behave as if the regex engine only sees a single backslash before the dot.

The x, y & z rewrite rules all match in the same manner, again ignoring the concatenation of quoted strings. A request for /p.html causes a 404, suggesting the doubled-backslash does not get parsed into a single, unlike the Header directive literals.

The q & r rules are commented out because they each trigger this error:
AH00526: Syntax error on line 258 of /path/to/httpd/compiled/conf/httpd.conf:
RewriteRule: bad flag delimiters
whereas I'd expect "^q\".html$" and "^r\\\".html$" to be parsed into ^q".html$ and ^r\".html$, respectively, even if they wouldn't match any requests.

---

I started a discussion about it here https://stackoverflow.com/q/74636889/315024 because I feel I'm not looking in the right place.