From: André Malo Date: Thu, 31 Jul 2003 22:58:58 +0000 (+0000) Subject: Ignore RewriteRules in .htaccess files if the directory X-Git-Tag: 2.0.48~159 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dcce8cefb8ce05f93c3126148a54351160294a72;p=thirdparty%2Fapache%2Fhttpd.git Ignore RewriteRules in .htaccess files if the directory containing the .htaccess file is requested without a trailing slash. PR: 20195 Reviewed by: Justin Erenkrantz, Jeff Trawick git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@100882 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 4185ee714e7..7a7c65d651a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,5 +1,9 @@ Changes with Apache 2.0.48 + *) mod_rewrite: Ignore RewriteRules in .htaccess files if the directory + containing the .htaccess file is requested without a trailing slash. + PR 20195. [André Malo] + *) ab: Overlong credentials given via command line no longer clobber the buffer. [André Malo] diff --git a/STATUS b/STATUS index d0409d0c188..fe9428853f8 100644 --- a/STATUS +++ b/STATUS @@ -1,5 +1,5 @@ APACHE 2.0 STATUS: -*-text-*- -Last modified at [$Date: 2003/07/31 20:23:20 $] +Last modified at [$Date: 2003/07/31 22:58:57 $] Release: @@ -257,15 +257,6 @@ PATCHES TO PORT FROM 2.1 modules/generators/mod_autoindex.c r1.120 +1: nd, trawick - * Ignore RewriteRules in .htaccess files if the directory - containing the .htaccess file is requested without a trailing slash. - PR 20195. - modules/mappers/mod_rewrite.c: r1.156, 1.168 - jerenkrantz says: We're doing 3 strlen's on the same value, can we please - clean that up? - nd replies: of course ..., 1.168 does. - +1: nd, jerenkrantz, trawick - * ab: Handle conditions where connect() on non-blocking socket doesn't complete immediately (i.e., restore functionality when benchmarking non-local targets). This doesn't resolve some diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c index ae0090e967f..2d57a8ccf89 100644 --- a/modules/mappers/mod_rewrite.c +++ b/modules/mappers/mod_rewrite.c @@ -1402,7 +1402,7 @@ static int hook_fixup(request_rec *r) char *cp2; const char *ccp; char *prefix; - int l; + apr_size_t l; int rulestatus; int n; char *ofilename; @@ -1426,6 +1426,18 @@ static int hook_fixup(request_rec *r) return DECLINED; } + /* + * .htaccess file is called before really entering the directory, i.e.: + * URL: http://localhost/foo and .htaccess is located in foo directory + * Ignore such attempts, since they may lead to undefined behaviour. + */ + l = strlen(dconf->directory) - 1; + if (r->filename && strlen(r->filename) == l && + (dconf->directory)[l] == '/' && + !strncmp(r->filename, dconf->directory, l)) { + return DECLINED; + } + /* * only do something under runtime if the engine is really enabled, * for this directory, else return immediately!