workaround for encoded slashes (%2f)

Wed, 30 Oct 2002 07:42:26 -0800 

since a server version long long ago in a century far far away,
we have automatically pitched any request with a uri containing
an encoded slash (i.e., %2f).  this was chosen as default behaviour
as pre-emptive defence of lame cgi scripts which might not bother
to validate their input (gasp!).  the encoding is undone for the
path_translated envariable, so something containing a string such as
%2f..%2f..%2fetc%2fpasswd.. well, you get the idea.

this behaviour has been reported as a bug at least once, and
i'm hearing more about it (from users, customers, and my boss)
as time goes on, so i want to propose the patch below as a workaround.

i say workaround because, as roy described to me in private mail
last year, encoded slashes in the actual filesystem path are
essentially irrelevant; it's only when they are in the path-info
that things get dicey.  however, figuring that out requires
work i haven't managed to accompish yet (namely, decoding all of
them and remembering where they were, and then re-encoding them
selectively later in the process before making the check).

so: this patch adds a AllowEncodedSlashes flag directive.  due to
the addition to the core_dir_config structure, it's a minor mmn
bump too.

anyone opposed?  this will at least give people the rope rather
than assuming we know what's best for them..

Index: include/ap_mmn.h
===================================================================
RCS file: /home/cvs/httpd-2.0/include/ap_mmn.h,v
retrieving revision 1.52
diff -u -r1.52 ap_mmn.h
--- include/ap_mmn.h    3 Sep 2002 23:39:43 -0000       1.52
+++ include/ap_mmn.h    30 Oct 2002 15:30:27 -0000
@@ -111,6 +111,7 @@
  * 20020625 (2.0.40-dev) Changed conn_rec->keepalive to an enumeration
  * 20020628 (2.0.40-dev) Added filter_init to filter registration functions
  * 20020903 (2.0.41-dev) APR's error constants changed
+ * 20020903.1 (2.0.44-dev) allow_encoded_slashes added to core_dir_config
  */
 
 #define MODULE_MAGIC_COOKIE 0x41503230UL /* "AP20" */
@@ -118,7 +119,7 @@
 #ifndef MODULE_MAGIC_NUMBER_MAJOR
 #define MODULE_MAGIC_NUMBER_MAJOR 20020903
 #endif
-#define MODULE_MAGIC_NUMBER_MINOR 0                     /* 0...n */
+#define MODULE_MAGIC_NUMBER_MINOR 1                     /* 0...n */
 
 /**
  * Determine if the server's current MODULE_MAGIC_NUMBER is at least a
Index: include/http_core.h
===================================================================
RCS file: /home/cvs/httpd-2.0/include/http_core.h,v
retrieving revision 1.70
diff -u -r1.70 http_core.h
--- include/http_core.h 25 Oct 2002 06:52:01 -0000      1.70
+++ include/http_core.h 30 Oct 2002 15:30:27 -0000
@@ -539,7 +539,8 @@
 #define ENABLE_SENDFILE_ON     (1)
 #define ENABLE_SENDFILE_UNSET  (2)
     unsigned int enable_sendfile : 2;  /* files in this dir can be mmap'ed */
-
+    unsigned int allow_encoded_slashes : 1; /* URLs may contain %2f
+                                             * w/o being pitched */
 } core_dir_config;
 
 /* Per-server core configuration */
Index: server/core.c
===================================================================
RCS file: /home/cvs/httpd-2.0/server/core.c,v
retrieving revision 1.215
diff -u -r1.215 core.c
--- server/core.c       25 Oct 2002 15:18:53 -0000      1.215
+++ server/core.c       30 Oct 2002 15:30:28 -0000
@@ -182,6 +182,7 @@
 
     conf->enable_mmap = ENABLE_MMAP_UNSET;
     conf->enable_sendfile = ENABLE_SENDFILE_UNSET;
+    conf->allow_encoded_slashes = 0;
 
     return (void *)conf;
 }
@@ -452,6 +453,8 @@
         conf->enable_sendfile = new->enable_sendfile;
     }
 
+    conf->allow_encoded_slashes = new->allow_encoded_slashes;
+    
     return (void*)conf;
 }
 
@@ -2086,6 +2089,19 @@
     return NULL;
 }
 
+static const char *set_allow2f(cmd_parms *cmd, void *d_, int arg)
+{
+    core_dir_config *d = d_;
+    const char *err = ap_check_cmd_context(cmd, NOT_IN_LIMIT);
+
+    if (err != NULL) {
+        return err;
+    }
+
+    d->allow_encoded_slashes = arg != 0;
+    return NULL;
+}
+
 static const char *set_hostname_lookups(cmd_parms *cmd, void *d_,
                                         const char *arg)
 {
@@ -3075,6 +3091,8 @@
 AP_INIT_ITERATE2("AddOutputFilterByType", add_ct_output_filters,
        (void *)APR_OFFSETOF(core_dir_config, ct_output_filters), OR_FILEINFO,
      "output filter name followed by one or more content-types"),
+AP_INIT_FLAG("AllowEncodedSlashes", set_allow2f, NULL, RSRC_CONF,
+             "Allow URLs containing '/' encoded as '%2F'"),
 
 /*
  * These are default configuration directives that mpms can/should
Index: server/request.c
===================================================================
RCS file: /home/cvs/httpd-2.0/server/request.c,v
retrieving revision 1.117
diff -u -r1.117 request.c
--- server/request.c    25 Oct 2002 16:38:11 -0000      1.117
+++ server/request.c    30 Oct 2002 15:30:28 -0000
@@ -150,12 +150,21 @@
         access_status = ap_unescape_url(r->parsed_uri.path);
         if (access_status) {
             if (access_status == HTTP_NOT_FOUND) {
-                ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-                              "found %%2f (encoded '/') in URI "
-                              "(decoded='%s'), returning 404",
-                              r->parsed_uri.path);
+                core_dir_config *d;
+                d = ap_get_module_config(r->per_dir_config, &core_module);
+                if (d->allow_encoded_slashes) {
+                    access_status = 0;
+                }
+                else {
+                    ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
+                                  "found %%2f (encoded '/') in URI "
+                                  "(decoded='%s'), returning 404",
+                                  r->parsed_uri.path);
+                }
+            }
+            if (access_status) {
+                return access_status;
             }
-            return access_status;
         }
     }

Reply via email to