From: Graham Leggett Date: Tue, 23 Apr 2013 13:14:34 +0000 (+0000) Subject: mod_dav: Make sure that when we prepare an If URL for Etag comparison, X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5829cbd11adf3285344961d0ddfff2ba0e63770d;p=thirdparty%2Fapache%2Fhttpd.git mod_dav: Make sure that when we prepare an If URL for Etag comparison, we compare unencoded paths. PR 53910 Patch submitted by Timothy Wood Tested by William Lewis git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1470940 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 8acdf186997..05376b54f7f 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) mod_dav: Make sure that when we prepare an If URL for Etag comparison, + we compare unencoded paths. PR 53910 [Timothy Wood ] + *) core, mod_ssl: Lift the restriction that prevents mod_ssl taking full advantage of the event MPM. Enable the ability for a module to reverse the sense of a poll event from a read to a write or vice diff --git a/modules/dav/main/util.c b/modules/dav/main/util.c index 2f4ce8d8cfe..d2aff57a282 100644 --- a/modules/dav/main/util.c +++ b/modules/dav/main/util.c @@ -663,6 +663,13 @@ static dav_error * dav_process_if_header(request_rec *r, dav_if_header **p_ih) if (uri_len > 1 && parsed_uri.path[uri_len - 1] == '/') parsed_uri.path[--uri_len] = '\0'; + /* the resources we will compare to have unencoded paths */ + if (ap_unescape_url(parsed_uri.path) != OK) { + return dav_new_error(r->pool, HTTP_BAD_REQUEST, + DAV_ERR_IF_TAGGED, rv, + "Invalid percent encoded URI in tagged If-header."); + } + uri = parsed_uri.path; list_type = tagged; break;