Merge of /httpd/httpd/trunk:r1893724

icing · icing · commit 98246aa96079 · 2021-10-01T11:21:11.000Z
*) core: AP_NORMALIZE_DECODE_UNRESERVED should normalize the second dot in the uri-path when it's preceded by a dot. [Yann Ylavic] git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1893775 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/changes-entries/normalize_unreserved.txt b/changes-entries/normalize_unreserved.txt
@@ -0,0 +1,2 @@
+  *) core: AP_NORMALIZE_DECODE_UNRESERVED should normalize the second dot in
+     the uri-path when it's preceded by a dot.  [Yann Ylavic]
diff --git a/server/util.c b/server/util.c
@@ -502,7 +502,8 @@ static char x2c(const char *what);
 AP_DECLARE(int) ap_normalize_path(char *path, unsigned int flags)
 {
     int ret = 1;
-    apr_size_t l = 1, w = 1;
+    apr_size_t l = 1, w = 1, n;
+    int decode_unreserved = (flags & AP_NORMALIZE_DECODE_UNRESERVED) != 0;
 
     if (!IS_SLASH(path[0])) {
         /* Besides "OPTIONS *", a request-target should start with '/'
@@ -529,7 +530,7 @@ AP_DECLARE(int) ap_normalize_path(char *path, unsigned int flags)
          *  be decoded to their corresponding unreserved characters by
          *  URI normalizers.
          */
-        if ((flags & AP_NORMALIZE_DECODE_UNRESERVED)
+        if (decode_unreserved
                 && path[l] == '%' && apr_isxdigit(path[l + 1])
                                   && apr_isxdigit(path[l + 2])) {
             const char c = x2c(&path[l + 1]);
@@ -567,8 +568,17 @@ AP_DECLARE(int) ap_normalize_path(char *path, unsigned int flags)
                     continue;
                 }
 
-                /* Remove /xx/../ segments */
-                if (path[l + 1] == '.' && IS_SLASH_OR_NUL(path[l + 2])) {
+                /* Remove /xx/../ segments (or /xx/.%2e/ when
+                 * AP_NORMALIZE_DECODE_UNRESERVED is set since we
+                 * decoded only the first dot above).
+                 */
+                n = l + 1;
+                if ((path[n] == '.' || (decode_unreserved
+                                        && path[n] == '%'
+                                        && path[++n] == '2'
+                                        && (path[++n] == 'e'
+                                            || path[n] == 'E')))
+                        && IS_SLASH_OR_NUL(path[n + 1])) {
                     /* Wind w back to remove the previous segment */
                     if (w > 1) {
                         do {
@@ -585,7 +595,7 @@ AP_DECLARE(int) ap_normalize_path(char *path, unsigned int flags)
                     }
 
                     /* Move l forward to the next segment */
-                    l += 2;
+                    l = n + 1;
                     if (path[l]) {
                         l++;
                     }

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+ *) core: AP_NORMALIZE_DECODE_UNRESERVED should normalize the second dot in`
	`2`	`+ the uri-path when it's preceded by a dot. [Yann Ylavic]`
Original file line number	Original file line	Diff line number	Diff line change
`@@ -502,7 +502,8 @@ static char x2c(const char *what);`
`502`	`AP_DECLARE(int) ap_normalize_path(char *path, unsigned int flags)`	`502`	`AP_DECLARE(int) ap_normalize_path(char *path, unsigned int flags)`
`503`	`{`	`503`	`{`
`504`	`int ret = 1;`	`504`	`int ret = 1;`
`505`	`- apr_size_t l = 1, w = 1;`	`505`	`+ apr_size_t l = 1, w = 1, n;`
		`506`	`+ int decode_unreserved = (flags & AP_NORMALIZE_DECODE_UNRESERVED) != 0;`
`506`		`507`
`507`	`if (!IS_SLASH(path[0])) {`	`508`	`if (!IS_SLASH(path[0])) {`
`508`	`/* Besides "OPTIONS *", a request-target should start with '/'`	`509`	`/* Besides "OPTIONS *", a request-target should start with '/'`
`@@ -529,7 +530,7 @@ AP_DECLARE(int) ap_normalize_path(char *path, unsigned int flags)`
`529`	`* be decoded to their corresponding unreserved characters by`	`530`	`* be decoded to their corresponding unreserved characters by`
`530`	`* URI normalizers.`	`531`	`* URI normalizers.`
`531`	`*/`	`532`	`*/`
`532`	`- if ((flags & AP_NORMALIZE_DECODE_UNRESERVED)`	`533`	`+ if (decode_unreserved`
`533`	`&& path[l] == '%' && apr_isxdigit(path[l + 1])`	`534`	`&& path[l] == '%' && apr_isxdigit(path[l + 1])`
`534`	`&& apr_isxdigit(path[l + 2])) {`	`535`	`&& apr_isxdigit(path[l + 2])) {`
`535`	`const char c = x2c(&path[l + 1]);`	`536`	`const char c = x2c(&path[l + 1]);`
`@@ -567,8 +568,17 @@ AP_DECLARE(int) ap_normalize_path(char *path, unsigned int flags)`
`567`	`continue;`	`568`	`continue;`
`568`	`}`	`569`	`}`
`569`		`570`
`570`	`- /* Remove /xx/../ segments */`	`571`	`+ /* Remove /xx/../ segments (or /xx/.%2e/ when`
`571`	`- if (path[l + 1] == '.' && IS_SLASH_OR_NUL(path[l + 2])) {`	`572`	`+ * AP_NORMALIZE_DECODE_UNRESERVED is set since we`
		`573`	`+ * decoded only the first dot above).`
		`574`	`+ */`
		`575`	`+ n = l + 1;`
		`576`	`+ if ((path[n] == '.' \|\| (decode_unreserved`
		`577`	`+ && path[n] == '%'`
		`578`	`+ && path[++n] == '2'`
		`579`	`+ && (path[++n] == 'e'`
		`580`	`+ \|\| path[n] == 'E')))`
		`581`	`+ && IS_SLASH_OR_NUL(path[n + 1])) {`
`572`	`/* Wind w back to remove the previous segment */`	`582`	`/* Wind w back to remove the previous segment */`
`573`	`if (w > 1) {`	`583`	`if (w > 1) {`
`574`	`do {`	`584`	`do {`
`@@ -585,7 +595,7 @@ AP_DECLARE(int) ap_normalize_path(char *path, unsigned int flags)`
`585`	`}`	`595`	`}`
`586`		`596`
`587`	`/* Move l forward to the next segment */`	`597`	`/* Move l forward to the next segment */`
`588`	`- l += 2;`	`598`	`+ l = n + 1;`
`589`	`if (path[l]) {`	`599`	`if (path[l]) {`
`590`	`l++;`	`600`	`l++;`
`591`	`}`	`601`	`}`