|
 |
8d0f60 |
diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
|
|
|
8d0f60 |
index b89d3e4..19f70d1 100644
|
|
|
8d0f60 |
--- a/modules/mappers/mod_rewrite.c
|
|
|
8d0f60 |
+++ b/modules/mappers/mod_rewrite.c
|
|
|
8d0f60 |
@@ -166,6 +166,7 @@ static const char* really_last_key = "rewrite_really_last";
|
|
|
8d0f60 |
#define RULEFLAG_DISCARDPATHINFO 1<<15
|
|
|
8d0f60 |
#define RULEFLAG_QSDISCARD 1<<16
|
|
|
8d0f60 |
#define RULEFLAG_END 1<<17
|
|
|
8d0f60 |
+#define RULEFLAG_QSNONE (1<<20) /* programattic only */
|
|
|
8d0f60 |
|
|
|
8d0f60 |
/* return code of the rewrite rule
|
|
|
8d0f60 |
* the result may be escaped - or not
|
|
|
8d0f60 |
@@ -725,10 +726,18 @@ static char *escape_absolute_uri(apr_pool_t *p, char *uri, unsigned scheme)
|
|
|
8d0f60 |
* split out a QUERY_STRING part from
|
|
|
8d0f60 |
* the current URI string
|
|
|
8d0f60 |
*/
|
|
|
8d0f60 |
-static void splitout_queryargs(request_rec *r, int qsappend, int qsdiscard)
|
|
|
8d0f60 |
+static void splitout_queryargs(request_rec *r, int flags)
|
|
|
8d0f60 |
{
|
|
|
8d0f60 |
char *q;
|
|
|
8d0f60 |
int split;
|
|
|
8d0f60 |
+ int qsappend = flags & RULEFLAG_QSAPPEND;
|
|
|
8d0f60 |
+ int qsdiscard = flags & RULEFLAG_QSDISCARD;
|
|
|
8d0f60 |
+
|
|
|
8d0f60 |
+ if (flags & RULEFLAG_QSNONE) {
|
|
|
8d0f60 |
+ rewritelog((r, 2, NULL, "discarding query string, no parse from substitution"));
|
|
|
8d0f60 |
+ r->args = NULL;
|
|
|
8d0f60 |
+ return;
|
|
|
8d0f60 |
+ }
|
|
|
8d0f60 |
|
|
|
8d0f60 |
/* don't touch, unless it's a scheme for which a query string makes sense.
|
|
|
8d0f60 |
* See RFC 1738 and RFC 2368.
|
|
|
8d0f60 |
@@ -2661,7 +2670,7 @@ static apr_status_t rewritelock_remove(void *data)
|
|
|
8d0f60 |
* XXX: what an inclined parser. Seems we have to leave it so
|
|
|
8d0f60 |
* for backwards compat. *sigh*
|
|
|
8d0f60 |
*/
|
|
|
8d0f60 |
-static int parseargline(char *str, char **a1, char **a2, char **a3)
|
|
|
8d0f60 |
+static int parseargline(char *str, char **a1, char **a2, char **a2_end, char **a3)
|
|
|
8d0f60 |
{
|
|
|
8d0f60 |
char quote;
|
|
|
8d0f60 |
|
|
|
8d0f60 |
@@ -2712,8 +2721,10 @@ static int parseargline(char *str, char **a1, char **a2, char **a3)
|
|
|
8d0f60 |
|
|
|
8d0f60 |
if (!*str) {
|
|
|
8d0f60 |
*a3 = NULL; /* 3rd argument is optional */
|
|
|
8d0f60 |
+ *a2_end = str;
|
|
|
8d0f60 |
return 0;
|
|
|
8d0f60 |
}
|
|
|
8d0f60 |
+ *a2_end = str;
|
|
|
8d0f60 |
*str++ = '\0';
|
|
|
8d0f60 |
|
|
|
8d0f60 |
while (apr_isspace(*str)) {
|
|
|
8d0f60 |
@@ -3230,6 +3241,7 @@ static const char *cmd_rewritecond(cmd_parms *cmd, void *in_dconf,
|
|
|
8d0f60 |
ap_regex_t *regexp;
|
|
|
8d0f60 |
char *a1;
|
|
|
8d0f60 |
char *a2;
|
|
|
8d0f60 |
+ char *a2_end;
|
|
|
8d0f60 |
char *a3;
|
|
|
8d0f60 |
const char *err;
|
|
|
8d0f60 |
|
|
|
8d0f60 |
@@ -3248,7 +3260,7 @@ static const char *cmd_rewritecond(cmd_parms *cmd, void *in_dconf,
|
|
|
8d0f60 |
* of the argument line. So we can use a1 .. a3 without
|
|
|
8d0f60 |
* copying them again.
|
|
|
8d0f60 |
*/
|
|
|
8d0f60 |
- if (parseargline(str, &a1, &a2, &a3)) {
|
|
|
8d0f60 |
+ if (parseargline(str, &a1, &a2, &a2_end, &a3)) {
|
|
|
8d0f60 |
return apr_pstrcat(cmd->pool, "RewriteCond: bad argument line '", str,
|
|
|
8d0f60 |
"'", NULL);
|
|
|
8d0f60 |
}
|
|
|
8d0f60 |
@@ -3645,6 +3657,7 @@ static const char *cmd_rewriterule(cmd_parms *cmd, void *in_dconf,
|
|
|
8d0f60 |
ap_regex_t *regexp;
|
|
|
8d0f60 |
char *a1;
|
|
|
8d0f60 |
char *a2;
|
|
|
8d0f60 |
+ char *a2_end;
|
|
|
8d0f60 |
char *a3;
|
|
|
8d0f60 |
const char *err;
|
|
|
8d0f60 |
|
|
|
8d0f60 |
@@ -3659,7 +3672,7 @@ static const char *cmd_rewriterule(cmd_parms *cmd, void *in_dconf,
|
|
|
8d0f60 |
}
|
|
|
8d0f60 |
|
|
|
8d0f60 |
/* parse the argument line ourself */
|
|
|
8d0f60 |
- if (parseargline(str, &a1, &a2, &a3)) {
|
|
|
8d0f60 |
+ if (parseargline(str, &a1, &a2, &a2_end, &a3)) {
|
|
|
8d0f60 |
return apr_pstrcat(cmd->pool, "RewriteRule: bad argument line '", str,
|
|
|
8d0f60 |
"'", NULL);
|
|
|
8d0f60 |
}
|
|
|
8d0f60 |
@@ -3705,6 +3718,16 @@ static const char *cmd_rewriterule(cmd_parms *cmd, void *in_dconf,
|
|
|
8d0f60 |
newrule->flags |= RULEFLAG_NOSUB;
|
|
|
8d0f60 |
}
|
|
|
8d0f60 |
|
|
|
8d0f60 |
+ if (*(a2_end-1) == '?') {
|
|
|
8d0f60 |
+ /* a literal ? at the end of the unsubstituted rewrite rule */
|
|
|
8d0f60 |
+ newrule->flags |= RULEFLAG_QSNONE;
|
|
|
8d0f60 |
+ }
|
|
|
8d0f60 |
+ else if (newrule->flags & RULEFLAG_QSDISCARD) {
|
|
|
8d0f60 |
+ if (NULL == ap_strchr(newrule->output, '?')) {
|
|
|
8d0f60 |
+ newrule->flags |= RULEFLAG_QSNONE;
|
|
|
8d0f60 |
+ }
|
|
|
8d0f60 |
+ }
|
|
|
8d0f60 |
+
|
|
|
8d0f60 |
/* now, if the server or per-dir config holds an
|
|
|
8d0f60 |
* array of RewriteCond entries, we take it for us
|
|
|
8d0f60 |
* and clear the array
|
|
|
8d0f60 |
@@ -4110,7 +4133,7 @@ static int apply_rewrite_rule(rewriterule_entry *p, rewrite_ctx *ctx)
|
|
|
8d0f60 |
r->path_info = NULL;
|
|
|
8d0f60 |
}
|
|
|
8d0f60 |
|
|
|
8d0f60 |
- splitout_queryargs(r, p->flags & RULEFLAG_QSAPPEND, p->flags & RULEFLAG_QSDISCARD);
|
|
|
8d0f60 |
+ splitout_queryargs(r, p->flags);
|
|
|
8d0f60 |
|
|
|
8d0f60 |
/* Add the previously stripped per-directory location prefix, unless
|
|
|
8d0f60 |
* (1) it's an absolute URL path and
|
|
|
8d0f60 |
@@ -4565,6 +4588,17 @@ static int hook_uri2file(request_rec *r)
|
|
|
8d0f60 |
unsigned skip;
|
|
|
8d0f60 |
apr_size_t flen;
|
|
|
8d0f60 |
|
|
|
8d0f60 |
+ if (r->args && *(ap_scan_vchar_obstext(r->args))) {
|
|
|
8d0f60 |
+ /*
|
|
|
8d0f60 |
+ * We have a raw control character or a ' ' in r->args.
|
|
|
8d0f60 |
+ * Correct encoding was missed.
|
|
|
8d0f60 |
+ */
|
|
|
8d0f60 |
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10410)
|
|
|
8d0f60 |
+ "Rewritten query string contains control "
|
|
|
8d0f60 |
+ "characters or spaces");
|
|
|
8d0f60 |
+ return HTTP_FORBIDDEN;
|
|
|
8d0f60 |
+ }
|
|
|
8d0f60 |
+
|
|
|
8d0f60 |
if (ACTION_STATUS == rulestatus) {
|
|
|
8d0f60 |
int n = r->status;
|
|
|
8d0f60 |
|
|
|
8d0f60 |
@@ -4833,6 +4867,17 @@ static int hook_fixup(request_rec *r)
|
|
|
8d0f60 |
if (rulestatus) {
|
|
|
8d0f60 |
unsigned skip;
|
|
|
8d0f60 |
|
|
|
8d0f60 |
+ if (r->args && *(ap_scan_vchar_obstext(r->args))) {
|
|
|
8d0f60 |
+ /*
|
|
|
8d0f60 |
+ * We have a raw control character or a ' ' in r->args.
|
|
|
8d0f60 |
+ * Correct encoding was missed.
|
|
|
8d0f60 |
+ */
|
|
|
8d0f60 |
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10411)
|
|
|
8d0f60 |
+ "Rewritten query string contains control "
|
|
|
8d0f60 |
+ "characters or spaces");
|
|
|
8d0f60 |
+ return HTTP_FORBIDDEN;
|
|
|
8d0f60 |
+ }
|
|
|
8d0f60 |
+
|
|
|
8d0f60 |
if (ACTION_STATUS == rulestatus) {
|
|
|
8d0f60 |
int n = r->status;
|
|
|
8d0f60 |
|
|
|
8d0f60 |
diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c
|
|
|
8d0f60 |
index 9b69a2e..a52d777 100644
|
|
|
8d0f60 |
--- a/modules/proxy/mod_proxy_ajp.c
|
|
|
8d0f60 |
+++ b/modules/proxy/mod_proxy_ajp.c
|
|
|
8d0f60 |
@@ -69,6 +69,16 @@ static int proxy_ajp_canon(request_rec *r, char *url)
|
|
|
8d0f60 |
path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0,
|
|
|
8d0f60 |
r->proxyreq);
|
|
|
8d0f60 |
search = r->args;
|
|
|
8d0f60 |
+ if (search && *(ap_scan_vchar_obstext(search))) {
|
|
|
8d0f60 |
+ /*
|
|
|
8d0f60 |
+ * We have a raw control character or a ' ' in r->args.
|
|
|
8d0f60 |
+ * Correct encoding was missed.
|
|
|
8d0f60 |
+ */
|
|
|
8d0f60 |
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10406)
|
|
|
8d0f60 |
+ "To be forwarded query string contains control "
|
|
|
8d0f60 |
+ "characters or spaces");
|
|
|
8d0f60 |
+ return HTTP_FORBIDDEN;
|
|
|
8d0f60 |
+ }
|
|
|
8d0f60 |
}
|
|
|
8d0f60 |
if (path == NULL)
|
|
|
8d0f60 |
return HTTP_BAD_REQUEST;
|
|
|
8d0f60 |
diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c
|
|
|
8d0f60 |
index 4d9d2af..fa385c3 100644
|
|
|
8d0f60 |
--- a/modules/proxy/mod_proxy_balancer.c
|
|
|
8d0f60 |
+++ b/modules/proxy/mod_proxy_balancer.c
|
|
|
8d0f60 |
@@ -94,6 +94,16 @@ static int proxy_balancer_canon(request_rec *r, char *url)
|
|
|
8d0f60 |
path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0,
|
|
|
8d0f60 |
r->proxyreq);
|
|
|
8d0f60 |
search = r->args;
|
|
|
8d0f60 |
+ if (search && *(ap_scan_vchar_obstext(search))) {
|
|
|
8d0f60 |
+ /*
|
|
|
8d0f60 |
+ * We have a raw control character or a ' ' in r->args.
|
|
|
8d0f60 |
+ * Correct encoding was missed.
|
|
|
8d0f60 |
+ */
|
|
|
8d0f60 |
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10407)
|
|
|
8d0f60 |
+ "To be forwarded query string contains control "
|
|
|
8d0f60 |
+ "characters or spaces");
|
|
|
8d0f60 |
+ return HTTP_FORBIDDEN;
|
|
|
8d0f60 |
+ }
|
|
|
8d0f60 |
}
|
|
|
8d0f60 |
if (path == NULL)
|
|
|
8d0f60 |
return HTTP_BAD_REQUEST;
|
|
|
8d0f60 |
diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
|
|
|
8d0f60 |
index 6767c89..1a10d99 100644
|
|
|
8d0f60 |
--- a/modules/proxy/mod_proxy_http.c
|
|
|
8d0f60 |
+++ b/modules/proxy/mod_proxy_http.c
|
|
|
8d0f60 |
@@ -87,6 +87,16 @@ static int proxy_http_canon(request_rec *r, char *url)
|
|
|
8d0f60 |
path = ap_proxy_canonenc(r->pool, url, strlen(url),
|
|
|
8d0f60 |
enc_path, 0, r->proxyreq);
|
|
|
8d0f60 |
search = r->args;
|
|
|
8d0f60 |
+ if (search && *(ap_scan_vchar_obstext(search))) {
|
|
|
8d0f60 |
+ /*
|
|
|
8d0f60 |
+ * We have a raw control character or a ' ' in r->args.
|
|
|
8d0f60 |
+ * Correct encoding was missed.
|
|
|
8d0f60 |
+ */
|
|
|
8d0f60 |
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10408)
|
|
|
8d0f60 |
+ "To be forwarded query string contains control "
|
|
|
8d0f60 |
+ "characters or spaces");
|
|
|
8d0f60 |
+ return HTTP_FORBIDDEN;
|
|
|
8d0f60 |
+ }
|
|
|
8d0f60 |
}
|
|
|
8d0f60 |
break;
|
|
|
8d0f60 |
case PROXYREQ_PROXY:
|
|
|
8d0f60 |
diff --git a/modules/proxy/mod_proxy_wstunnel.c b/modules/proxy/mod_proxy_wstunnel.c
|
|
|
8d0f60 |
index eb34eee..438d035 100644
|
|
|
8d0f60 |
--- a/modules/proxy/mod_proxy_wstunnel.c
|
|
|
8d0f60 |
+++ b/modules/proxy/mod_proxy_wstunnel.c
|
|
|
8d0f60 |
@@ -73,6 +73,16 @@ static int proxy_wstunnel_canon(request_rec *r, char *url)
|
|
|
8d0f60 |
path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0,
|
|
|
8d0f60 |
r->proxyreq);
|
|
|
8d0f60 |
search = r->args;
|
|
|
8d0f60 |
+ if (search && *(ap_scan_vchar_obstext(search))) {
|
|
|
8d0f60 |
+ /*
|
|
|
8d0f60 |
+ * We have a raw control character or a ' ' in r->args.
|
|
|
8d0f60 |
+ * Correct encoding was missed.
|
|
|
8d0f60 |
+ */
|
|
|
8d0f60 |
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10409)
|
|
|
8d0f60 |
+ "To be forwarded query string contains control "
|
|
|
8d0f60 |
+ "characters or spaces");
|
|
|
8d0f60 |
+ return HTTP_FORBIDDEN;
|
|
|
8d0f60 |
+ }
|
|
|
8d0f60 |
}
|
|
|
8d0f60 |
if (path == NULL)
|
|
|
8d0f60 |
return HTTP_BAD_REQUEST;
|