From: Graham Leggett Date: Thu, 20 Jan 2022 22:13:24 +0000 (+0000) Subject: Revert 1897156. X-Git-Tag: 2.5.0-alpha2-ci-test-only~566 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=62db0c63abc6b66343eaa73a4811f8a1605f3366;p=thirdparty%2Fapache%2Fhttpd.git Revert 1897156. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1897273 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index cc04ee13e43..de3bbe22d62 100644 --- a/CHANGES +++ b/CHANGES @@ -1,11 +1,6 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.1 - *) core: Allow an optional expression to be specified for an effective - path in the DirectoryMatch and LocationMatch directives. This allows - modules like mod_dav to map URLs to URL spaces or to directories on - the filesystem. [Graham Leggett] - *) http: Enforce that fully qualified uri-paths not to be forward-proxied have an http(s) scheme, and that the ones to be forward proxied have a hostname, per HTTP specifications. [Ruediger Pluem, Yann Ylavic] diff --git a/docs/manual/mod/core.xml b/docs/manual/mod/core.xml index 1b981071464..e22545e8cfe 100644 --- a/docs/manual/mod/core.xml +++ b/docs/manual/mod/core.xml @@ -926,20 +926,6 @@ named file-system directory, sub-directories, and their contents. the corresponding Directory will be applied.

-

Some modules require the directory-path prefix in order to do their work, - and when a regular expression is provided the directory-path is no longer - available. From 2.5.1 onwards, an expression can be specified in addition - to the regular expression that resolves to the directory-path prefix. This - can allow complex mappings from the URL space to an effective directory. - This funcionality is identical to that provided by the - DirectoryMatch directive below.

- - -<Directory ~ /home/%{env:MATCH_PARTITIONNAME}/dav/ ^/dav/(?<PARTITIONNAME>[^/]+)/> - Dav on -</Directory> - -

Note that the default access for <Directory "/"> is to permit all access. This means that Apache httpd will serve any file mapped from an URL. It is @@ -973,7 +959,7 @@ named file-system directory, sub-directories, and their contents. DirectoryMatch Enclose directives that apply to the contents of file-system directories matching a regular expression. -<DirectoryMatch [expr] regex> +<DirectoryMatch regex> ... </DirectoryMatch> server configvirtual host @@ -1019,18 +1005,6 @@ the contents of file-system directories matching a regular expression. <DirectoryMatch "^/var/www/combined/(?<sitename>[^/]+)"> Require ldap-group cn=%{env:MATCH_SITENAME},ou=combined,o=Example -</DirectoryMatch> - - -

Some modules require the directory-path prefix in order to do their work, - and when a regular expression is provided the directory-path is no longer - available. From 2.5.1 onwards, an expression can be specified in addition - to the regular expression that resolves to the directory-path prefix. This - can allow complex mappings from the URL space to an effective directory.

- - -<DirectoryMatch /home/%{env:MATCH_PARTITIONNAME}/dav/ ^/dav/(?<PARTITIONNAME>[^/]+)/> - Dav on </DirectoryMatch> @@ -3198,19 +3172,6 @@ URLs </Location> -

Some modules require the URL-path prefix in order to do their work, and when - a regular expression is provided the URL-path is no longer available. From - 2.5.1 onwards, an expression can be specified in addition to the regular - expression that resolves to the URL-path prefix. This can allow complex - mappings from the URL space to an effective path. This funcionality is identical - to that provided by the LocationMatch directive below.

- - -<Location ~ /dav/%{env:MATCH_PARTITIONNAME} ^/dav/(?<PARTITIONNAME>[^/]+)/> - Dav on -</Location> - - Note about / (slash)

The slash character has special meaning depending on where in a URL it appears. People may be used to its behavior in the filesystem @@ -3246,7 +3207,7 @@ URLs Applies the enclosed directives only to regular-expression matching URLs <LocationMatch - [expr] regex> ... </LocationMatch> + regex> ... </LocationMatch> server configvirtual host @@ -3289,18 +3250,6 @@ matching URLs </LocationMatch> -

Some modules require the URL-path prefix in order to do their work, and when - a regular expression is provided the URL-path is no longer available. From - 2.5.1 onwards, an expression can be specified in addition to the regular - expression that resolves to the URL-path prefix. This can allow complex - mappings from the URL space to an effective path.

- - -<LocationMatch /dav/%{env:MATCH_PARTITIONNAME} ^/dav/(?<PARTITIONNAME>[^/]+)/> - Dav on -</LocationMatch> - - Note about / (slash)

The slash character has special meaning depending on where in a URL it appears. People may be used to its behavior in the filesystem diff --git a/modules/dav/main/mod_dav.c b/modules/dav/main/mod_dav.c index 9832bc0207e..1a4b0663f07 100644 --- a/modules/dav/main/mod_dav.c +++ b/modules/dav/main/mod_dav.c @@ -83,7 +83,6 @@ typedef struct { const char *dir; int locktimeout; int allow_depthinfinity; - const ap_expr_info_t *dir_expr; } dav_dir_conf; @@ -204,7 +203,6 @@ static void *dav_merge_dir_config(apr_pool_t *p, void *base, void *overrides) newconf->dir = DAV_INHERIT_VALUE(parent, child, dir); newconf->allow_depthinfinity = DAV_INHERIT_VALUE(parent, child, allow_depthinfinity); - newconf->dir_expr = DAV_INHERIT_VALUE(parent, child, dir_expr); return newconf; } @@ -284,18 +282,6 @@ static const char *dav_cmd_dav(cmd_parms *cmd, void *config, const char *arg1) } } - if (!conf->dir_expr) { - const char *expr_err = NULL; - - conf->dir_expr = ap_expr_parse_cmd(cmd, conf->dir, AP_EXPR_FLAG_STRING_RESULT, - &expr_err, NULL); - if (expr_err) { - return apr_pstrcat(cmd->temp_pool, - "Cannot parse Directory/Location expression '", conf->dir, "': ", - expr_err, NULL); - } - } - return NULL; } @@ -737,57 +723,6 @@ static int dav_get_overwrite(request_rec *r) return -1; } -static int uripath_is_canonical(const char *uripath) -{ - const char *dot_pos, *ptr = uripath; - apr_size_t i, len; - unsigned pattern = 0; - - /* URIPATH is canonical if it has: - * - no '.' segments - * - no closing '/' - * - no '//' - */ - - if (ptr[0] == '.' - && (ptr[1] == '/' || ptr[1] == '\0' - || (ptr[1] == '.' && (ptr[2] == '/' || ptr[2] == '\0')))) { - return 0; - } - - /* valid special cases */ - len = strlen(ptr); - if (len < 2) { - return 1; - } - - /* invalid endings */ - if (ptr[len - 1] == '/' || (ptr[len - 1] == '.' && ptr[len - 2] == '/')) { - return 0; - } - - /* '.' are rare. So, search for them globally. There will often be no - * more than one hit. Also note that we already checked for invalid - * starts and endings, i.e. we only need to check for "/./" - */ - for (dot_pos = memchr(ptr, '.', len); dot_pos; - dot_pos = ap_strchr_c(dot_pos + 1, '.')) { - if (dot_pos > ptr && dot_pos[-1] == '/' && dot_pos[1] == '/') { - return 0; - } - } - - /* Now validate the rest of the path. */ - for (i = 0; i < len - 1; ++i) { - pattern = ((pattern & 0xff) << 8) + (unsigned char) ptr[i]; - if (pattern == 0x101 * (unsigned char) ('/')) { - return 0; - } - } - - return 1; -} - /* resolve a request URI to a resource descriptor. * * If label_allowed != 0, then allow the request target to be altered by @@ -802,7 +737,6 @@ DAV_DECLARE(dav_error *) dav_get_resource(request_rec *r, int label_allowed, { dav_dir_conf *conf; const char *label = NULL; - const char *dir; dav_error *err; /* if the request target can be overridden, get any target selector */ @@ -819,34 +753,9 @@ DAV_DECLARE(dav_error *) dav_get_resource(request_rec *r, int label_allowed, ap_escape_html(r->pool, r->uri))); } - if (conf->dir_expr) { - const char *err = NULL; - - dir = ap_expr_str_exec(r, conf->dir_expr, &err); - if (err) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10367) - "Director/Location expression '%s' could not be parsed: %s", conf->dir, err); - return dav_new_error(r->pool, HTTP_INTERNAL_SERVER_ERROR, 0, 0, - apr_psprintf(r->pool, - "Directory/Location expression could not be parsed: %s", err)); - } - - /* safety check - is our path canonical? */ - if (!uripath_is_canonical(dir)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10368) - "Directory/Location is not canonical ('.', '..' and '//' not allowed): %s", dir); - return dav_new_error(r->pool, HTTP_BAD_REQUEST, 0, 0, - apr_psprintf(r->pool, "Directory/Location is not canonical for: %s", - ap_escape_html(r->pool, r->uri))); - } - - } - else { - dir = conf->dir; - } - /* resolve the resource */ - err = (*conf->provider->repos->get_resource)(r, dir, label, use_checked_in, + err = (*conf->provider->repos->get_resource)(r, conf->dir, + label, use_checked_in, res_p); if (err != NULL) { err = dav_push_error(r->pool, err->status, 0, diff --git a/server/core.c b/server/core.c index 634d4c6b5db..67c36f8134d 100644 --- a/server/core.c +++ b/server/core.c @@ -2506,7 +2506,6 @@ static const char *dirsection(cmd_parms *cmd, void *mconfig, const char *arg) char *old_path = cmd->path; core_dir_config *conf; ap_conf_vector_t *new_dir_conf = ap_create_per_dir_config(cmd->pool); - const char *regex; ap_regex_t *r = NULL; const command_rec *thiscmd = cmd->cmd; @@ -2530,20 +2529,15 @@ static const char *dirsection(cmd_parms *cmd, void *mconfig, const char *arg) if (!strcmp(cmd->path, "~")) { cmd->path = ap_getword_conf(cmd->pool, &arg); - if (!*cmd->path) { - return " block must specify a regex"; - } - regex = ap_getword_conf(cmd->pool, &arg); - r = ap_pregcomp(cmd->pool, *regex ? regex : cmd->path, - AP_REG_EXTENDED | USE_ICASE); + if (!cmd->path) + return " block must specify a path"; + r = ap_pregcomp(cmd->pool, cmd->path, AP_REG_EXTENDED|USE_ICASE); if (!r) { return "Regex could not be compiled"; } } else if (thiscmd->cmd_data) { /* */ - regex = ap_getword_conf(cmd->pool, &arg); - r = ap_pregcomp(cmd->pool, *regex ? regex : cmd->path, - AP_REG_EXTENDED | USE_ICASE); + r = ap_pregcomp(cmd->pool, cmd->path, AP_REG_EXTENDED|USE_ICASE); if (!r) { return "Regex could not be compiled"; } @@ -2605,8 +2599,8 @@ static const char *dirsection(cmd_parms *cmd, void *mconfig, const char *arg) ap_add_per_dir_conf(cmd->server, new_dir_conf); if (*arg != '\0') { - return apr_pstrcat(cmd->pool, "Additional ", thiscmd->name, - "> arguments not (yet) supported: ", arg, NULL); + return apr_pstrcat(cmd->pool, "Multiple ", thiscmd->name, + "> arguments not (yet) supported.", NULL); } cmd->path = old_path; @@ -2622,7 +2616,6 @@ static const char *urlsection(cmd_parms *cmd, void *mconfig, const char *arg) int old_overrides = cmd->override; char *old_path = cmd->path; core_dir_config *conf; - const char *regex; ap_regex_t *r = NULL; const command_rec *thiscmd = cmd->cmd; ap_conf_vector_t *new_url_conf = ap_create_per_dir_config(cmd->pool); @@ -2645,21 +2638,14 @@ static const char *urlsection(cmd_parms *cmd, void *mconfig, const char *arg) cmd->override = OR_ALL|ACCESS_CONF; if (thiscmd->cmd_data) { /* */ - regex = ap_getword_conf(cmd->pool, &arg); - r = ap_pregcomp(cmd->pool, *regex ? regex : cmd->path, - AP_REG_EXTENDED); + r = ap_pregcomp(cmd->pool, cmd->path, AP_REG_EXTENDED); if (!r) { return "Regex could not be compiled"; } } else if (!strcmp(cmd->path, "~")) { cmd->path = ap_getword_conf(cmd->pool, &arg); - if (!*cmd->path) { - return " block must specify a regex"; - } - regex = ap_getword_conf(cmd->pool, &arg); - r = ap_pregcomp(cmd->pool, *regex ? regex : cmd->path, - AP_REG_EXTENDED); + r = ap_pregcomp(cmd->pool, cmd->path, AP_REG_EXTENDED); if (!r) { return "Regex could not be compiled"; } @@ -2685,8 +2671,8 @@ static const char *urlsection(cmd_parms *cmd, void *mconfig, const char *arg) ap_add_per_url_conf(cmd->server, new_url_conf); if (*arg != '\0') { - return apr_pstrcat(cmd->pool, "Additional ", thiscmd->name, - "> arguments not (yet) supported: ", arg, NULL); + return apr_pstrcat(cmd->pool, "Multiple ", thiscmd->name, + "> arguments not (yet) supported.", NULL); } cmd->path = old_path; @@ -2702,7 +2688,6 @@ static const char *filesection(cmd_parms *cmd, void *mconfig, const char *arg) int old_overrides = cmd->override; char *old_path = cmd->path; core_dir_config *conf; - const char *regex; ap_regex_t *r = NULL; const command_rec *thiscmd = cmd->cmd; ap_conf_vector_t *new_file_conf = ap_create_per_dir_config(cmd->pool); @@ -2730,18 +2715,14 @@ static const char *filesection(cmd_parms *cmd, void *mconfig, const char *arg) } if (thiscmd->cmd_data) { /* */ - regex = ap_getword_conf(cmd->pool, &arg); - r = ap_pregcomp(cmd->pool, *regex ? regex : cmd->path, - AP_REG_EXTENDED | USE_ICASE); + r = ap_pregcomp(cmd->pool, cmd->path, AP_REG_EXTENDED|USE_ICASE); if (!r) { return "Regex could not be compiled"; } } else if (!strcmp(cmd->path, "~")) { cmd->path = ap_getword_conf(cmd->pool, &arg); - regex = ap_getword_conf(cmd->pool, &arg); - r = ap_pregcomp(cmd->pool, *regex ? regex : cmd->path, - AP_REG_EXTENDED | USE_ICASE); + r = ap_pregcomp(cmd->pool, cmd->path, AP_REG_EXTENDED|USE_ICASE); if (!r) { return "Regex could not be compiled"; } @@ -2777,8 +2758,8 @@ static const char *filesection(cmd_parms *cmd, void *mconfig, const char *arg) ap_add_file_conf(cmd->pool, (core_dir_config *)mconfig, new_file_conf); if (*arg != '\0') { - return apr_pstrcat(cmd->pool, "Additional ", thiscmd->name, - "> arguments not (yet) supported: ", arg, NULL); + return apr_pstrcat(cmd->pool, "Multiple ", thiscmd->name, + "> arguments not (yet) supported.", NULL); } cmd->path = old_path; @@ -2864,8 +2845,8 @@ static const char *ifsection(cmd_parms *cmd, void *mconfig, const char *arg) return errmsg; if (*arg != '\0') { - return apr_pstrcat(cmd->pool, "Additional ", thiscmd->name, - "> arguments not supported: ", arg, NULL); + return apr_pstrcat(cmd->pool, "Multiple ", thiscmd->name, + "> arguments not supported.", NULL); } cmd->path = old_path;