* Niklas Edmundsson wrote:

> On Thu, 30 Apr 2015, Yann Ylavic wrote:
> > On Thu, Apr 30, 2015 at 2:57 PM, Jim Riggs <apache-li...@riggs.me> 
wrote:
> >> Thanks, Yann. I remember looking at this code before. The question
> >> remains, though: Is it currently "wrong"? Does it need to be "fixed",
> >> or was this distinction made intentionally? Is there a specific use
> >> case that requires the regex-matching directives to not get
> >> slash-normalized URIs?
> >
> > I would like it to be fixed, non leading "/+" is equivalent to "/",
> > this would break very few (if any) cases IMHO, and may even unbreak
> > more ones .
>
> +1
>
> I would expect Location and LocationMatch using the same uri for
> comparison.

Hmm, that assumption is wrong by definition. Location always matches a 
prefix (a part of a parsed/unparsed url), while LocationMatch always 
matches the complete URL.

> I would actually go so far as the current state might 
> warrant a CVE for being a hidden security risk that might cause
> inadvertent information exposure.

It *is* documented right here, btw: 
http://httpd.apache.org/docs/2.4/mod/core.html#location

(found it, eventually...)

nd
-- 
"Umfassendes Werk (auch fuer Umsteiger vom Apache 1.3)"
                                          -- aus einer Rezension

<http://pub.perlig.de/books.html#apache2>

Reply via email to