Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Dev

Re: svn commit: r573831 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_rewrite.xml modules/mappers/mod_rewrite.c

  

 
Apache dev RSS feed   Index | Next | Previous | View Threaded


rpluem at apache

Sep 9, 2007, 2:41 AM

Post #1 of 6 (271 views)
Permalink
Re: svn commit: r573831 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_rewrite.xml modules/mappers/mod_rewrite.c
On 09/08/2007 02:46 PM, wrote:
> Author: niq
> Date: Sat Sep 8 05:46:10 2007
> New Revision: 573831
>
> URL: http://svn.apache.org/viewvc?rev=573831&view=rev
> Log:
> Add option to escape backreferences in RewriteRule.
> PR 34602 and PR 39746
> Patch by Guenther Gsenger
>
> Modified:
> httpd/httpd/trunk/CHANGES
> httpd/httpd/trunk/docs/manual/mod/mod_rewrite.xml
> httpd/httpd/trunk/modules/mappers/mod_rewrite.c
>

>
> Modified: httpd/httpd/trunk/docs/manual/mod/mod_rewrite.xml
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_rewrite.xml?rev=573831&r1=573830&r2=573831&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/docs/manual/mod/mod_rewrite.xml (original)
> +++ httpd/httpd/trunk/docs/manual/mod/mod_rewrite.xml Sat Sep 8 05:46:10 2007
> @@ -1243,6 +1243,21 @@
> brackets, of any of the following flags: </p>
>
> <dl>
> + <dt>'<code>B</code>' (escape backreferences)</dt>
> + <dd><p>Apache has to unescape URLs before mapping them,
> + so backreferences will be unescaped at the time they are applied.
> + Using the B flag, non-alphanumeric characters in backreferences
> + will be escaped. For example, consider the rule:</p>
> + <pre><code> RewriteRule RewriteRule ^(.*)$ index.php?show=$1 </code></pre>
> + <p>This will map <code>/C++</code> to <code>index.php?show=C++</code>.
> + But it will also map <code>/C%2b%2b</code> to
> + <code>index.php?show=C++</code>, because the <code>%2b</code>
> + has been unescaped. With the B flag, it will instead map to
> + <code>index.php?show=>/C%2b%2b</code>.</p>
> + <p>This escaping is particularly necessary in a proxy situation,
> + when the backend may break if presented with an unescaped URL.</p>
> + </dd>
> +

I am a little bit unsure if this can have security implications in some cases.

>
>
> Modified: httpd/httpd/trunk/modules/mappers/mod_rewrite.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/mappers/mod_rewrite.c?rev=573831&r1=573830&r2=573831&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/mappers/mod_rewrite.c (original)
> +++ httpd/httpd/trunk/modules/mappers/mod_rewrite.c Sat Sep 8 05:46:10 2007

> @@ -635,6 +637,46 @@
> return 0;
> }
>
> +static const char c2x_table[] = "0123456789abcdef";
> +
> +static APR_INLINE unsigned char *c2x(unsigned what, unsigned char prefix,
> + unsigned char *where)
> +{
> +#if APR_CHARSET_EBCDIC
> + what = apr_xlate_conv_byte(ap_hdrs_to_ascii, (unsigned char)what);
> +#endif /*APR_CHARSET_EBCDIC*/
> + *where++ = prefix;
> + *where++ = c2x_table[what >> 4];
> + *where++ = c2x_table[what & 0xf];
> + return where;
> +}
> +
> +/*
> + * Escapes a uri in a similar way as php's urlencode does.
> + * Based on ap_os_escape_path in server/util.c
> + */
> +static char *escape_uri(apr_pool_t *p, const char *path) {
> + char *copy = apr_palloc(p, 3 * strlen(path) + 3);
> + const unsigned char *s = (const unsigned char *)path;
> + unsigned char *d = (unsigned char *)copy;
> + unsigned c;
> +
> + while ((c = *s)) {
> + if (apr_isalnum(c) || c == '_') {
> + *d++ = c;
> + }
> + else if (c == ' ') {
> + *d++ = '+';
> + }
> + else {
> + d = c2x(c, '%', d);
> + }
> + ++s;
> + }
> + *d = '\0';
> + return copy;
> +}
> +

Does it make sense to duplicate code? Shouldn't this be placed in util.c?

> /*
> * escape absolute uri, which may or may not be path oriented.
> * So let's handle them differently.

> @@ -2322,9 +2364,23 @@
> if (bri->source && n < AP_MAX_REG_MATCH
> && bri->regmatch[n].rm_eo > bri->regmatch[n].rm_so) {
> span = bri->regmatch[n].rm_eo - bri->regmatch[n].rm_so;
> -
> - current->len = span;
> - current->string = bri->source + bri->regmatch[n].rm_so;
> + if (entry && (entry->flags & RULEFLAG_ESCAPEBACKREF)) {
> + /* escape the backreference */
> + char *tmp2, *tmp;
> + tmp = apr_palloc(pool, span + 1);
> + strncpy(tmp, bri->source + bri->regmatch[n].rm_so, span);

How about using apr_pstrndup instead?

> + tmp[span] = '\0';
> + tmp2 = escape_uri(pool, tmp);
> + rewritelog((ctx->r, 5, ctx->perdir, "escaping backreference '%s' to '%s'",
> + tmp, tmp2));
> +
> + current->len = span = strlen(tmp2);
> + current->string = tmp2;
> + } else {
> + current->len = span;
> + current->string = bri->source + bri->regmatch[n].rm_so;
> + }
> +
> outlen += span;
> }
>

Regards

Rüdiger


nick at webthing

Sep 9, 2007, 7:03 AM

Post #2 of 6 (245 views)
Permalink
Re: svn commit: r573831 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_rewrite.xml modules/mappers/mod_rewrite.c [In reply to]
On Sun, 09 Sep 2007 11:41:53 +0200
Ruediger Pluem <rpluem[at]apache.org> wrote:

>
>
> On 09/08/2007 02:46 PM, wrote:
> > Author: niq
> > Date: Sat Sep 8 05:46:10 2007
> > New Revision: 573831
> >
> > URL: http://svn.apache.org/viewvc?rev=573831&view=rev
> > Log:
> > Add option to escape backreferences in RewriteRule.
> > PR 34602 and PR 39746
> > Patch by Guenther Gsenger

The patch is in bugzilla. I applied it without modification
because:
* It fixes both the bugs listed.
* The code looks good.
I'm sure it could benefit from further refactoring, but I didn't
want to spend more time on this than necessary.

> I am a little bit unsure if this can have security implications in
> some cases.

I'd like to see an example of how it might affect security.

> Does it make sense to duplicate code? Shouldn't this be placed in
> util.c?

Very likely. But that escalates it from a bugfix to an API change.

> How about using apr_pstrndup instead?

Indeed.

--
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/


nd at perlig

Sep 11, 2007, 6:11 AM

Post #3 of 6 (241 views)
Permalink
Re: svn commit: r573831 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_rewrite.xml modules/mappers/mod_rewrite.c [In reply to]
* niq[at]apache.org wrote:


> Author: niq
> Date: Sat Sep 8 05:46:10 2007
> New Revision: 573831
>
> URL: http://svn.apache.org/viewvc?rev=573831&view=rev
> Log:
> Add option to escape backreferences in RewriteRule.
> PR 34602 and PR 39746
> Patch by Guenther Gsenger
>
> Modified:
> httpd/httpd/trunk/CHANGES
> httpd/httpd/trunk/docs/manual/mod/mod_rewrite.xml
> httpd/httpd/trunk/modules/mappers/mod_rewrite.c

This spreads another uri escaper copy around. Why can't we take
ap_escape_uri? Without deep digging: what's the difference?

nd


nick at webthing

Sep 11, 2007, 9:00 AM

Post #4 of 6 (239 views)
Permalink
Re: svn commit: r573831 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_rewrite.xml modules/mappers/mod_rewrite.c [In reply to]
On Tue, 11 Sep 2007 15:11:35 +0200
André Malo <nd[at]perlig.de> wrote:

> * niq[at]apache.org wrote:
>
>
> > Author: niq
> > Date: Sat Sep 8 05:46:10 2007
> > New Revision: 573831
> >
> > URL: http://svn.apache.org/viewvc?rev=573831&view=rev
> > Log:
> > Add option to escape backreferences in RewriteRule.
> > PR 34602 and PR 39746
> > Patch by Guenther Gsenger
> >
> > Modified:
> > httpd/httpd/trunk/CHANGES
> > httpd/httpd/trunk/docs/manual/mod/mod_rewrite.xml
> > httpd/httpd/trunk/modules/mappers/mod_rewrite.c
>
> This spreads another uri escaper copy around. Why can't we take
> ap_escape_uri? Without deep digging: what's the difference?

As I said in my reply to Rüdiger, I just applied the patch from
bugzilla, having ascertained that it looked sound and worked for
cases identified in both the bug reports referenced.

A further improvement, round tuits permitting, would indeed be
to look deeper, and eliminate any duplication.

--
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/


nd at perlig

Sep 11, 2007, 9:10 AM

Post #5 of 6 (242 views)
Permalink
Re: svn commit: r573831 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_rewrite.xml modules/mappers/mod_rewrite.c [In reply to]
* Nick Kew wrote:


> On Tue, 11 Sep 2007 15:11:35 +0200
>
> André Malo <nd[at]perlig.de> wrote:
> > * niq[at]apache.org wrote:
> > > Author: niq
> > > Date: Sat Sep 8 05:46:10 2007
> > > New Revision: 573831
> > >
> > > URL: http://svn.apache.org/viewvc?rev=573831&view=rev
> > > Log:
> > > Add option to escape backreferences in RewriteRule.
> > > PR 34602 and PR 39746
> > > Patch by Guenther Gsenger
> > >
> > > Modified:
> > > httpd/httpd/trunk/CHANGES
> > > httpd/httpd/trunk/docs/manual/mod/mod_rewrite.xml
> > > httpd/httpd/trunk/modules/mappers/mod_rewrite.c
> >
> > This spreads another uri escaper copy around. Why can't we take
> > ap_escape_uri? Without deep digging: what's the difference?
>
> As I said in my reply to Rüdiger, I just applied the patch from
> bugzilla, having ascertained that it looked sound and worked for
> cases identified in both the bug reports referenced.

Yep, sorry. Saw that reply too late. Just took a look at the diff and was
disturbed by the cluttering ;)

Also I don't like the ' ' => '+' transition, which should not be applied for
paths. It's safer to translate that always to %20, I guess.

> A further improvement, round tuits permitting, would indeed be
> to look deeper, and eliminate any duplication.

It should be done before considering backport, IMHO.

By the way, I'm wondering why nobody picked up the suggested use of the
escape rewrite map (or I overread it).
(http://issues.apache.org/bugzilla/show_bug.cgi?id=34602#c16)

nd


nick at webthing

Sep 11, 2007, 9:30 AM

Post #6 of 6 (238 views)
Permalink
Re: svn commit: r573831 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_rewrite.xml modules/mappers/mod_rewrite.c [In reply to]
On Tue, 11 Sep 2007 18:10:57 +0200
André Malo <nd[at]perlig.de> wrote:

> > A further improvement, round tuits permitting, would indeed be
> > to look deeper, and eliminate any duplication.
>
> It should be done before considering backport, IMHO.

Yep, guess so. I think I just put a proposal in STATUS (just
transcribing recent trunk/CHANGES entries), but I can withdraw
that pending further thought.

> By the way, I'm wondering why nobody picked up the suggested use of
> the escape rewrite map (or I overread it).
> (http://issues.apache.org/bugzilla/show_bug.cgi?id=34602#c16)

Can't speak for others, but I simply missed it.

--
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/

Apache dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.