From: William A. Rowe Jr <wrowe@apache.org>
Date: Thu, 27 Jun 2013 16:44:56 +0000 (+0000)
Subject: mod_dav: Make sure that when we prepare an If URL for Etag comparison,
X-Git-Tag: 2.2.25~19
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1bab6e359ea6861a95e21eb9aeaa6ef2722fb395;p=thirdparty%2Fapache%2Fhttpd.git

mod_dav: Make sure that when we prepare an If URL for Etag comparison,
we compare unencoded paths.

PR: 53910
Submitted by: Timothy Wood <tjw omnigroup com>
Backports: r1470940, r1477530
Reviewed by: minfrin, wrowe, rjung



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1497435 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 0a8b573e2e8..75363d6d866 100644
--- a/CHANGES
+++ b/CHANGES
@@ -28,6 +28,9 @@ Changes with Apache 2.2.25
      to configure an IO timeout as an error in the balancer.
      [Daniel Ruggeri]
 
+  *) mod_dav: Make sure that when we prepare an If URL for Etag comparison,
+     we compare unencoded paths. PR 53910 [Timothy Wood <tjw omnigroup.com>]
+
 Changes with Apache 2.2.24
 
   *) SECURITY: CVE-2012-3499 (cve.mitre.org)
diff --git a/STATUS b/STATUS
index 5198c16dacf..0f0151b30a6 100644
--- a/STATUS
+++ b/STATUS
@@ -96,17 +96,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
   
-  * mod_dav: Make sure that when we prepare an If URL for Etag comparison,     
-    we compare unencoded paths. PR 53910 [Timothy Wood <tjw omnigroup com>]
-    trunk patch: http://svn.apache.org/r1470940
-                 http://svn.apache.org/r1477530
-    2.2.x patch: trunk patch works (minus CHANGES)
-    +1: minfrin, wrowe
-    +1: rjung (if the "rv" argument in dav_new_error() gets removed.
-               "rv" doesn't exist in the 2.2 file and the additional
-               argument also is not allowed in 2.2.x, in short:
-               trunk patch doesn't compile :( )
-
   * mod_dav: Sending a If or If-Match header with an invalid ETag doesn't
     result in a 412 Precondition Failed. PR54610
     [Timothy Wood <tjw omnigroup com>]
diff --git a/modules/dav/main/util.c b/modules/dav/main/util.c
index 6ab880b426d..3fd2b86026b 100644
--- a/modules/dav/main/util.c
+++ b/modules/dav/main/util.c
@@ -634,9 +634,18 @@ static dav_error * dav_process_if_header(request_rec *r, dav_if_header **p_ih)
 
             /* clean up the URI a bit */
             ap_getparents(parsed_uri.path);
+
+            /* the resources we will compare to have unencoded paths */
+            if (ap_unescape_url(parsed_uri.path) != OK) {
+                return dav_new_error(r->pool, HTTP_BAD_REQUEST,
+                           DAV_ERR_IF_TAGGED,
+                           "Invalid percent encoded URI in tagged If-header.");
+            }
+
             uri_len = strlen(parsed_uri.path);
-            if (uri_len > 1 && parsed_uri.path[uri_len - 1] == '/')
+            if (uri_len > 1 && parsed_uri.path[uri_len - 1] == '/') {
                 parsed_uri.path[--uri_len] = '\0';
+            }
 
             uri = parsed_uri.path;
             list_type = tagged;