* modules/dav/main/mod_dav.c (dav_handler): Reject request if the

Request-URI includes a fragment part, i.e. an unescaped #.

PR: 21779
Submitted by: Amit Athavale <amit_athavale@lycos.com>
Reviewed by: Joe Orton, Andr�� Malo, Justin Erenkrantz

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@102462 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 59a2ef3450938193348c734eb56bc84e1d139e1f..b172674ed24b151e0d941ce6d9613563d02b69a1 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,8 @@
 Changes with Apache 2.0.49
 
+  *) mod_dav: Reject requests which include an unescaped fragment in the
+     Request-URI.  PR 21779.  [Amit Athavale <amit_athavale lycos.com>]
+
   *) Build array of allowed methods with proper dimensions, fixing
      possible memory corruption.  [Jeff Trawick]
 

diff --git a/modules/dav/main/mod_dav.c b/modules/dav/main/mod_dav.c
index 0ca115fffbf7f9802fbb8fa4cee2a9b55fa40d74..e5790fc7ab32a7702e9f3c64d160a41778ef46ee 100644 (file)
--- a/modules/dav/main/mod_dav.c
+++ b/modules/dav/main/mod_dav.c
@@ -4559,6 +4559,16 @@ static int dav_handler(request_rec *r)
     if (strcmp(r->handler, DAV_HANDLER_NAME) != 0)
         return DECLINED;
 
+    /* Reject requests with an unescaped hash character, as these may
+     * be more destructive than the user intended. */
+    if (r->parsed_uri.fragment != NULL) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                     "buggy client used un-escaped hash in Request-URI");
+        return dav_error_response(r, HTTP_BAD_REQUEST, 
+                                  "The request was invalid: the URI included "
+                                  "an un-escaped hash character");
+    }
+
     /* ### do we need to do anything with r->proxyreq ?? */
 
     /*