* Niklas Edmundsson wrote: > On Thu, 30 Apr 2015, Yann Ylavic wrote: > > On Thu, Apr 30, 2015 at 2:57 PM, Jim Riggs <apache-li...@riggs.me> wrote: > >> Thanks, Yann. I remember looking at this code before. The question > >> remains, though: Is it currently "wrong"? Does it need to be "fixed", > >> or was this distinction made intentionally? Is there a specific use > >> case that requires the regex-matching directives to not get > >> slash-normalized URIs? > > > > I would like it to be fixed, non leading "/+" is equivalent to "/", > > this would break very few (if any) cases IMHO, and may even unbreak > > more ones . > > +1 > > I would expect Location and LocationMatch using the same uri for > comparison.
Hmm, that assumption is wrong by definition. Location always matches a prefix (a part of a parsed/unparsed url), while LocationMatch always matches the complete URL. > I would actually go so far as the current state might > warrant a CVE for being a hidden security risk that might cause > inadvertent information exposure. It *is* documented right here, btw: http://httpd.apache.org/docs/2.4/mod/core.html#location (found it, eventually...) nd -- "Umfassendes Werk (auch fuer Umsteiger vom Apache 1.3)" -- aus einer Rezension <http://pub.perlig.de/books.html#apache2>