to configure an IO timeout as an error in the balancer.
[Daniel Ruggeri]
+ *) mod_dav: Make sure that when we prepare an If URL for Etag comparison,
+ we compare unencoded paths. PR 53910 [Timothy Wood <tjw omnigroup.com>]
+
Changes with Apache 2.2.24
*) SECURITY: CVE-2012-3499 (cve.mitre.org)
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_dav: Make sure that when we prepare an If URL for Etag comparison,
- we compare unencoded paths. PR 53910 [Timothy Wood <tjw omnigroup com>]
- trunk patch: http://svn.apache.org/r1470940
- http://svn.apache.org/r1477530
- 2.2.x patch: trunk patch works (minus CHANGES)
- +1: minfrin, wrowe
- +1: rjung (if the "rv" argument in dav_new_error() gets removed.
- "rv" doesn't exist in the 2.2 file and the additional
- argument also is not allowed in 2.2.x, in short:
- trunk patch doesn't compile :( )
-
* mod_dav: Sending a If or If-Match header with an invalid ETag doesn't
result in a 412 Precondition Failed. PR54610
[Timothy Wood <tjw omnigroup com>]
/* clean up the URI a bit */
ap_getparents(parsed_uri.path);
+
+ /* the resources we will compare to have unencoded paths */
+ if (ap_unescape_url(parsed_uri.path) != OK) {
+ return dav_new_error(r->pool, HTTP_BAD_REQUEST,
+ DAV_ERR_IF_TAGGED,
+ "Invalid percent encoded URI in tagged If-header.");
+ }
+
uri_len = strlen(parsed_uri.path);
- if (uri_len > 1 && parsed_uri.path[uri_len - 1] == '/')
+ if (uri_len > 1 && parsed_uri.path[uri_len - 1] == '/') {
parsed_uri.path[--uri_len] = '\0';
+ }
uri = parsed_uri.path;
list_type = tagged;
projects / thirdparty / apache / httpd.git / commitdiff
