Rainer, On 10/23/2011 12:19 PM, rj...@apache.org wrote: > +/* > + * Find the first occurrence of path in uri tokenized by "/". > + * The comparison is done case insensitive. > + */ > +static const char *find_path_in_uri(const char *uri, const char *path) > +{ > + size_t len = strlen(path); > + while (uri = strchr(uri, '/')) {
I think "//" in a URL will cause this loop to exit early, possibly avoiding this security check. > + uri++; > + if (!strncmp(uri, path, len) && strncmp doesn't use case-insensitive compare: will this ever match if you use "web-inf" (as below)? > + (*(uri + len) == '/' || > + strlen(uri) == len)) { > + return uri; > + } > + } > + return NULL; > +} > + > static int uri_is_web_inf(const char *uri) > { > - if (stristr(uri, "/web-inf")) { > + if (find_path_in_uri(uri, "web-inf")) { > return JK_TRUE; This will return JK_TRUE if "web-inf" occurs at any place in the path, not just at the context level. Is that a problem? I can imagine that a request for /context/foo/WEB-INF/something might be valid. -chris
signature.asc
Description: OpenPGP digital signature