-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) core: Allow an optional expression to be specified for an effective
+ path in the DirectoryMatch and LocationMatch directives. This allows
+ modules like mod_dav to map URLs to URL spaces or to directories on
+ the filesystem. [Graham Leggett]
+
*) http: Enforce that fully qualified uri-paths not to be forward-proxied
have an http(s) scheme, and that the ones to be forward proxied have a
hostname, per HTTP specifications. [Ruediger Pluem, Yann Ylavic]
the corresponding <directive type="section">Directory</directive> will
be applied.</p>
+ <p>Some modules require the directory-path prefix in order to do their work,
+ and when a regular expression is provided the directory-path is no longer
+ available. From 2.5.1 onwards, an expression can be specified in addition
+ to the regular expression that resolves to the directory-path prefix. This
+ can allow complex mappings from the URL space to an effective directory.
+ This funcionality is identical to that provided by the
+ <directive>DirectoryMatch</directive> directive below.</p>
+
+ <highlight language="config">
+<Directory ~ /home/%{env:MATCH_PARTITIONNAME}/dav/ ^/dav/(?<PARTITIONNAME>[^/]+)/>
+ Dav on
+</Directory>
+ </highlight>
+
<p><strong>Note that the default access for
<code><Directory "/"></code> is to permit all access.
This means that Apache httpd will serve any file mapped from an URL. It is
<name>DirectoryMatch</name>
<description>Enclose directives that apply to
the contents of file-system directories matching a regular expression.</description>
-<syntax><DirectoryMatch <var>regex</var>>
+<syntax><DirectoryMatch [<var>expr</var>] <var>regex</var>>
... </DirectoryMatch></syntax>
<contextlist><context>server config</context><context>virtual host</context>
</contextlist>
<highlight language="config">
<DirectoryMatch "^/var/www/combined/(?<sitename>[^/]+)">
Require ldap-group cn=%{env:MATCH_SITENAME},ou=combined,o=Example
+</DirectoryMatch>
+ </highlight>
+
+ <p>Some modules require the directory-path prefix in order to do their work,
+ and when a regular expression is provided the directory-path is no longer
+ available. From 2.5.1 onwards, an expression can be specified in addition
+ to the regular expression that resolves to the directory-path prefix. This
+ can allow complex mappings from the URL space to an effective directory.</p>
+
+ <highlight language="config">
+<DirectoryMatch /home/%{env:MATCH_PARTITIONNAME}/dav/ ^/dav/(?<PARTITIONNAME>[^/]+)/>
+ Dav on
</DirectoryMatch>
</highlight>
</usage>
</Location>
</highlight>
+ <p>Some modules require the URL-path prefix in order to do their work, and when
+ a regular expression is provided the URL-path is no longer available. From
+ 2.5.1 onwards, an expression can be specified in addition to the regular
+ expression that resolves to the URL-path prefix. This can allow complex
+ mappings from the URL space to an effective path. This funcionality is identical
+ to that provided by the <directive>LocationMatch</directive> directive below.</p>
+
+ <highlight language="config">
+<Location ~ /dav/%{env:MATCH_PARTITIONNAME} ^/dav/(?<PARTITIONNAME>[^/]+)/>
+ Dav on
+</Location>
+ </highlight>
+
<note><title>Note about / (slash)</title>
<p>The slash character has special meaning depending on where in a
URL it appears. People may be used to its behavior in the filesystem
<description>Applies the enclosed directives only to regular-expression
matching URLs</description>
<syntax><LocationMatch
- <var>regex</var>> ... </LocationMatch></syntax>
+ [<var>expr</var>] <var>regex</var>> ... </LocationMatch></syntax>
<contextlist><context>server config</context><context>virtual host</context>
</contextlist>
</LocationMatch>
</highlight>
+ <p>Some modules require the URL-path prefix in order to do their work, and when
+ a regular expression is provided the URL-path is no longer available. From
+ 2.5.1 onwards, an expression can be specified in addition to the regular
+ expression that resolves to the URL-path prefix. This can allow complex
+ mappings from the URL space to an effective path.</p>
+
+ <highlight language="config">
+<LocationMatch /dav/%{env:MATCH_PARTITIONNAME} ^/dav/(?<PARTITIONNAME>[^/]+)/>
+ Dav on
+</LocationMatch>
+ </highlight>
+
<note><title>Note about / (slash)</title>
<p>The slash character has special meaning depending on where in a
URL it appears. People may be used to its behavior in the filesystem
const char *dir;
int locktimeout;
int allow_depthinfinity;
+ const ap_expr_info_t *dir_expr;
} dav_dir_conf;
newconf->dir = DAV_INHERIT_VALUE(parent, child, dir);
newconf->allow_depthinfinity = DAV_INHERIT_VALUE(parent, child,
allow_depthinfinity);
+ newconf->dir_expr = DAV_INHERIT_VALUE(parent, child, dir_expr);
return newconf;
}
}
}
+ if (!conf->dir_expr) {
+ const char *expr_err = NULL;
+
+ conf->dir_expr = ap_expr_parse_cmd(cmd, conf->dir, AP_EXPR_FLAG_STRING_RESULT,
+ &expr_err, NULL);
+ if (expr_err) {
+ return apr_pstrcat(cmd->temp_pool,
+ "Cannot parse Directory/Location expression '", conf->dir, "': ",
+ expr_err, NULL);
+ }
+ }
+
return NULL;
}
return -1;
}
+static int uripath_is_canonical(const char *uripath)
+{
+ const char *dot_pos, *ptr = uripath;
+ apr_size_t i, len;
+ unsigned pattern = 0;
+
+ /* URIPATH is canonical if it has:
+ * - no '.' segments
+ * - no closing '/'
+ * - no '//'
+ */
+
+ if (ptr[0] == '.'
+ && (ptr[1] == '/' || ptr[1] == '\0'
+ || (ptr[1] == '.' && (ptr[2] == '/' || ptr[2] == '\0')))) {
+ return 0;
+ }
+
+ /* valid special cases */
+ len = strlen(ptr);
+ if (len < 2) {
+ return 1;
+ }
+
+ /* invalid endings */
+ if (ptr[len - 1] == '/' || (ptr[len - 1] == '.' && ptr[len - 2] == '/')) {
+ return 0;
+ }
+
+ /* '.' are rare. So, search for them globally. There will often be no
+ * more than one hit. Also note that we already checked for invalid
+ * starts and endings, i.e. we only need to check for "/./"
+ */
+ for (dot_pos = memchr(ptr, '.', len); dot_pos;
+ dot_pos = strchr(dot_pos + 1, '.')) {
+ if (dot_pos > ptr && dot_pos[-1] == '/' && dot_pos[1] == '/') {
+ return 0;
+ }
+ }
+
+ /* Now validate the rest of the path. */
+ for (i = 0; i < len - 1; ++i) {
+ pattern = ((pattern & 0xff) << 8) + (unsigned char) ptr[i];
+ if (pattern == 0x101 * (unsigned char) ('/')) {
+ return 0;
+ }
+ }
+
+ return 1;
+}
+
/* resolve a request URI to a resource descriptor.
*
* If label_allowed != 0, then allow the request target to be altered by
{
dav_dir_conf *conf;
const char *label = NULL;
+ const char *dir;
dav_error *err;
/* if the request target can be overridden, get any target selector */
ap_escape_html(r->pool, r->uri)));
}
+ if (conf->dir_expr) {
+ const char *err = NULL;
+
+ dir = ap_expr_str_exec(r, conf->dir_expr, &err);
+ if (err) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10367)
+ "Director/Location expression '%s' could not be parsed: %s", conf->dir, err);
+ return dav_new_error(r->pool, HTTP_INTERNAL_SERVER_ERROR, 0, 0,
+ apr_psprintf(r->pool,
+ "Directory/Location expression could not be parsed: %s", err));
+ }
+
+ /* safety check - is our path canonical? */
+ if (!uripath_is_canonical(dir)) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10368)
+ "Directory/Location is not canonical ('.', '..' and '//' not allowed): %s", dir);
+ return dav_new_error(r->pool, HTTP_BAD_REQUEST, 0, 0,
+ apr_psprintf(r->pool, "Directory/Location is not canonical for: %s",
+ ap_escape_html(r->pool, r->uri)));
+ }
+
+ }
+ else {
+ dir = conf->dir;
+ }
+
/* resolve the resource */
- err = (*conf->provider->repos->get_resource)(r, conf->dir,
- label, use_checked_in,
+ err = (*conf->provider->repos->get_resource)(r, dir, label, use_checked_in,
res_p);
if (err != NULL) {
err = dav_push_error(r->pool, err->status, 0,
char *old_path = cmd->path;
core_dir_config *conf;
ap_conf_vector_t *new_dir_conf = ap_create_per_dir_config(cmd->pool);
+ const char *regex;
ap_regex_t *r = NULL;
const command_rec *thiscmd = cmd->cmd;
if (!strcmp(cmd->path, "~")) {
cmd->path = ap_getword_conf(cmd->pool, &arg);
- if (!cmd->path)
- return "<Directory ~ > block must specify a path";
- r = ap_pregcomp(cmd->pool, cmd->path, AP_REG_EXTENDED|USE_ICASE);
+ if (!*cmd->path) {
+ return "<Directory ~ > block must specify a regex";
+ }
+ regex = ap_getword_conf(cmd->pool, &arg);
+ r = ap_pregcomp(cmd->pool, *regex ? regex : cmd->path,
+ AP_REG_EXTENDED | USE_ICASE);
if (!r) {
return "Regex could not be compiled";
}
}
else if (thiscmd->cmd_data) { /* <DirectoryMatch> */
- r = ap_pregcomp(cmd->pool, cmd->path, AP_REG_EXTENDED|USE_ICASE);
+ regex = ap_getword_conf(cmd->pool, &arg);
+ r = ap_pregcomp(cmd->pool, *regex ? regex : cmd->path,
+ AP_REG_EXTENDED | USE_ICASE);
if (!r) {
return "Regex could not be compiled";
}
ap_add_per_dir_conf(cmd->server, new_dir_conf);
if (*arg != '\0') {
- return apr_pstrcat(cmd->pool, "Multiple ", thiscmd->name,
- "> arguments not (yet) supported.", NULL);
+ return apr_pstrcat(cmd->pool, "Additional ", thiscmd->name,
+ "> arguments not (yet) supported: ", arg, NULL);
}
cmd->path = old_path;
int old_overrides = cmd->override;
char *old_path = cmd->path;
core_dir_config *conf;
+ const char *regex;
ap_regex_t *r = NULL;
const command_rec *thiscmd = cmd->cmd;
ap_conf_vector_t *new_url_conf = ap_create_per_dir_config(cmd->pool);
cmd->override = OR_ALL|ACCESS_CONF;
if (thiscmd->cmd_data) { /* <LocationMatch> */
- r = ap_pregcomp(cmd->pool, cmd->path, AP_REG_EXTENDED);
+ regex = ap_getword_conf(cmd->pool, &arg);
+ r = ap_pregcomp(cmd->pool, *regex ? regex : cmd->path,
+ AP_REG_EXTENDED);
if (!r) {
return "Regex could not be compiled";
}
}
else if (!strcmp(cmd->path, "~")) {
cmd->path = ap_getword_conf(cmd->pool, &arg);
- r = ap_pregcomp(cmd->pool, cmd->path, AP_REG_EXTENDED);
+ if (!*cmd->path) {
+ return "<Location ~ > block must specify a regex";
+ }
+ regex = ap_getword_conf(cmd->pool, &arg);
+ r = ap_pregcomp(cmd->pool, *regex ? regex : cmd->path,
+ AP_REG_EXTENDED);
if (!r) {
return "Regex could not be compiled";
}
ap_add_per_url_conf(cmd->server, new_url_conf);
if (*arg != '\0') {
- return apr_pstrcat(cmd->pool, "Multiple ", thiscmd->name,
- "> arguments not (yet) supported.", NULL);
+ return apr_pstrcat(cmd->pool, "Additional ", thiscmd->name,
+ "> arguments not (yet) supported: ", arg, NULL);
}
cmd->path = old_path;
int old_overrides = cmd->override;
char *old_path = cmd->path;
core_dir_config *conf;
+ const char *regex;
ap_regex_t *r = NULL;
const command_rec *thiscmd = cmd->cmd;
ap_conf_vector_t *new_file_conf = ap_create_per_dir_config(cmd->pool);
}
if (thiscmd->cmd_data) { /* <FilesMatch> */
- r = ap_pregcomp(cmd->pool, cmd->path, AP_REG_EXTENDED|USE_ICASE);
+ regex = ap_getword_conf(cmd->pool, &arg);
+ r = ap_pregcomp(cmd->pool, *regex ? regex : cmd->path,
+ AP_REG_EXTENDED | USE_ICASE);
if (!r) {
return "Regex could not be compiled";
}
}
else if (!strcmp(cmd->path, "~")) {
cmd->path = ap_getword_conf(cmd->pool, &arg);
- r = ap_pregcomp(cmd->pool, cmd->path, AP_REG_EXTENDED|USE_ICASE);
+ regex = ap_getword_conf(cmd->pool, &arg);
+ r = ap_pregcomp(cmd->pool, *regex ? regex : cmd->path,
+ AP_REG_EXTENDED | USE_ICASE);
if (!r) {
return "Regex could not be compiled";
}
ap_add_file_conf(cmd->pool, (core_dir_config *)mconfig, new_file_conf);
if (*arg != '\0') {
- return apr_pstrcat(cmd->pool, "Multiple ", thiscmd->name,
- "> arguments not (yet) supported.", NULL);
+ return apr_pstrcat(cmd->pool, "Additional ", thiscmd->name,
+ "> arguments not (yet) supported: ", arg, NULL);
}
cmd->path = old_path;
return errmsg;
if (*arg != '\0') {
- return apr_pstrcat(cmd->pool, "Multiple ", thiscmd->name,
- "> arguments not supported.", NULL);
+ return apr_pstrcat(cmd->pool, "Additional ", thiscmd->name,
+ "> arguments not supported: ", arg, NULL);
}
cmd->path = old_path;
projects / thirdparty / apache / httpd.git / commitdiff
