HI Yann, The variable "r" is the request_rec that is passed into the module's handler hook. Based on my testing, r->unparsed_uri does indeed have a space (it's not encoded to %20).
I need to compare against an unparsed URI because r->uri is vulnerable to a path traversal attack. For instance, this: http://abc.me/unprotected_path/../protected_path becomes: http://abc.me/protected_path Maybe I'm going about it the wrong way, so I'm hoping for some guidance from more experienced developers. Thank you, On Thu, Dec 4, 2014 at 6:33 PM, Yann Ylavic <ylavic....@gmail.com> wrote: > Hello, > > On Thu, Dec 4, 2014 at 4:20 PM, Justin Kennedy > <jkenn...@pingidentity.com> wrote: > > Here is the code in question: > > > > /* ensure r->uri and r->unparsed_uri are similar to prevent path > traversal > > attacks */ > > > > unparsed_uri = apr_pstrdup(r->pool, r->unparsed_uri); > > > > /* get the unparsed base uri (everything up to '?') */ > > unparsed_uri_base = apr_strtok(unparsed_uri, "?", &buf); > > > > buf = strstr(r->uri, unparsed_uri_base); > > > > /*** ISSUE: If there is a space in the URL then r->uri will have the > > encoded space as %20 and r->unparsed_uri will not */ > > There can't be a space in the HTTP URL received by httpd, the space > must %20-escaped (urlencoded) by the client to form a valid HTTP > request line. > Hence both r->unparsed_uri and r->uri should have the %20 (see > read_request_line() and ap_parse_uri()), unlike r->parsed_uri.path > which is later ap_unescape()d in ap_process_request_internal(), where > r->uri is also sanitized against all forms dot-slashes. > > > > > /* compare unparsed base with parsed uri */ > > if(buf == NULL || strlen(r->uri) != strlen(buf)) { > > Where does this r->uri come from? > > > error( > > cfg, > > "Malformed URI" > > ); > > return HTTP_INTERNAL_SERVER_ERROR; > > } > > Regards, > Yann. > -- [image: Ping Identity logo] <https://www.pingidentity.com/> Justin Kennedy Sr. Development Engineer @ jkenn...@pingidentity.com [image: phone] +1 604.697.7055 Connect with us… [image: twitter logo] <https://twitter.com/pingidentity> [image: youtube logo] <https://www.youtube.com/user/PingIdentityTV> [image: LinkedIn logo] <https://www.linkedin.com/company/21870> [image: Facebook logo] <https://www.facebook.com/pingidentitypage> [image: Google+ logo] <https://plus.google.com/u/0/114266977739397708540> [image: slideshare logo] <http://www.slideshare.net/PingIdentity> [image: flipboard logo] <http://flip.it/vjBF7> [image: rss feed icon] <https://www.pingidentity.com/blogs/>
