For the time being... -1. This sort of radical change doesn't belong on an already released branch.
I'm not likely to reverse on this but would accept a more narrow patch. Submitter completely discounts the fact that the entire env table modulo the http/1.1 input was already in utf-8. On 10/29/2011 2:44 PM, [email protected] wrote: > Author: fuankg > Date: Sat Oct 29 19:44:45 2011 > New Revision: 1194999 > > URL: http://svn.apache.org/viewvc?rev=1194999&view=rev > Log: > Applied backport: Invert logic for env var utf-8 fixing. > > Now we exclude a list of vars which we know for sure they > dont hold utf-8 chars; all other vars will be fixed. This > has the benefit that now also all vars from 3rd-party > modules will be fixed. > > Modified: > httpd/httpd/branches/2.2.x/CHANGES > httpd/httpd/branches/2.2.x/STATUS > httpd/httpd/branches/2.2.x/modules/arch/win32/mod_win32.c > > Modified: httpd/httpd/branches/2.2.x/CHANGES > URL: > http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=1194999&r1=1194998&r2=1194999&view=diff > ============================================================================== > --- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original) > +++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Sat Oct 29 19:44:45 2011 > @@ -1,6 +1,12 @@ > -*- coding: utf-8 > -*- > Changes with Apache 2.2.22 > > + *) mod_win32: Invert logic for env var UTF-8 fixing. > + Now we exclude a list of vars which we know for sure they dont hold > UTF-8 > + chars; all other vars will be fixed. This has the benefit that now also > + all vars from 3rd-party modules will be fixed. PR 13029 / 34985. > + [Guenter Knauf] > + > *) SECURITY: CVE-2011-3368 (cve.mitre.org) > Reject requests where the request-URI does not match the HTTP > specification, preventing unexpected expansion of target URLs in > > Modified: httpd/httpd/branches/2.2.x/STATUS > URL: > http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1194999&r1=1194998&r2=1194999&view=diff > ============================================================================== > --- httpd/httpd/branches/2.2.x/STATUS (original) > +++ httpd/httpd/branches/2.2.x/STATUS Sat Oct 29 19:44:45 2011 > @@ -92,18 +92,6 @@ RELEASE SHOWSTOPPERS: > PATCHES ACCEPTED TO BACKPORT FROM TRUNK: > [ start all new proposals below, under PATCHES PROPOSED. ] > > - * mod_win32: Invert logic for env var UTF-8 fixing. > - Now we exclude a list of vars which we know for sure they > - dont hold UTF-8 chars; all other vars will be fixed. This > - has the benefit that now also all vars from 3rd-party modules > - will be fixed. This fix is based on PR 13029 / 34985, and > - includes now the SSL_ and GEOIP_ vars; otherwise its impossible > - to run CGIs when mod_ssl and/or mod_geoip are loaded and those > - mods return UTF-8 chars in any var during a request. > - Trunk patch: > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/arch/win32/mod_win32.c?r1=1054347&r2=1146932 > - 2.2.x patch: > http://people.apache.org/~fuankg/diffs/2.2.x-mod_win32.c.diff > - +1: fuankg, gsmith, rjung > - > * mod_log_config: Fix segfault for 'BufferedLogs Off'. PR 50861. > Trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1082518 > 2.2.x patch: Trunk patch works > > Modified: httpd/httpd/branches/2.2.x/modules/arch/win32/mod_win32.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/arch/win32/mod_win32.c?rev=1194999&r1=1194998&r2=1194999&view=diff > ============================================================================== > --- httpd/httpd/branches/2.2.x/modules/arch/win32/mod_win32.c (original) > +++ httpd/httpd/branches/2.2.x/modules/arch/win32/mod_win32.c Sat Oct 29 > 19:44:45 2011 > @@ -531,13 +531,13 @@ static apr_status_t ap_cgi_build_command > * application (following the OEM or Ansi code page in effect.) > */ > for (i = 0; i < elts_arr->nelts; ++i) { > - if (win_nt && elts[i].key && *elts[i].key > - && (strncmp(elts[i].key, "HTTP_", 5) == 0 > - || strncmp(elts[i].key, "SERVER_", 7) == 0 > - || strncmp(elts[i].key, "REQUEST_", 8) == 0 > - || strcmp(elts[i].key, "QUERY_STRING") == 0 > - || strcmp(elts[i].key, "PATH_INFO") == 0 > - || strcmp(elts[i].key, "PATH_TRANSLATED") == 0)) { > + if (win_nt && elts[i].key && *elts[i].key && *elts[i].val > + && !(strncmp(elts[i].key, "REMOTE_", 7) == 0 > + || strcmp(elts[i].key, "GATEWAY_INTERFACE") == 0 > + || strcmp(elts[i].key, "REQUEST_METHOD") == 0 > + || strcmp(elts[i].key, "SERVER_ADDR") == 0 > + || strcmp(elts[i].key, "SERVER_PORT") == 0 > + || strcmp(elts[i].key, "SERVER_PROTOCOL") == 0)) { > prep_string((const char**) &elts[i].val, r->pool); > } > } > > >
