Hello,
On Thu, Dec 4, 2014 at 4:20 PM, Justin Kennedy
<jkenn...@pingidentity.com> wrote:
> Here is the code in question:
>
> /* ensure r->uri and r->unparsed_uri are similar to prevent path traversal
> attacks */
>
> unparsed_uri = apr_pstrdup(r->pool, r->unparsed_uri);
>
> /* get the unparsed base uri (everything up to '?') */
> unparsed_uri_base = apr_strtok(unparsed_uri, "?", &buf);
>
> buf = strstr(r->uri, unparsed_uri_base);
>
> /*** ISSUE: If there is a space in the URL then r->uri will have the
> encoded space as %20 and r->unparsed_uri will not */
There can't be a space in the HTTP URL received by httpd, the space
must %20-escaped (urlencoded) by the client to form a valid HTTP
request line.
Hence both r->unparsed_uri and r->uri should have the %20 (see
read_request_line() and ap_parse_uri()), unlike r->parsed_uri.path
which is later ap_unescape()d in ap_process_request_internal(), where
r->uri is also sanitized against all forms dot-slashes.
>
> /* compare unparsed base with parsed uri */
> if(buf == NULL || strlen(r->uri) != strlen(buf)) {
Where does this r->uri come from?
> error(
> cfg,
> "Malformed URI"
> );
> return HTTP_INTERNAL_SERVER_ERROR;
> }
Regards,
Yann.
