Increase security in core.c by testing (as we merge the path) that the

  URI does not go above the DocumentRoot (as defined by the OS, not by
  the URI specification), and give us the true name.

  When we are done, note the name is canonical for directory_walk.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@90593 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/server/core.c b/server/core.c
index 50b464f1efe05cdfa8ef862867dc5256d9cef075..9f18233082e4de0af7bdeda5dbf803d1ee7a349b 100644 (file)
--- a/server/core.c
+++ b/server/core.c
@@ -2911,8 +2911,14 @@ AP_DECLARE_NONSTD(int) ap_core_translate(request_rec *r)
        && (r->server->path[r->server->pathlen - 1] == '/'
            || r->uri[r->server->pathlen] == '/'
            || r->uri[r->server->pathlen] == '\0')) {
-        r->filename = apr_pstrcat(r->pool, conf->ap_document_root,
-                                (r->uri + r->server->pathlen), NULL);
+        if (apr_filepath_merge(r->filename, conf->ap_document_root,
+                              r->uri + r->server->pathlen, 
+                               APR_FILEPATH_TRUENAME 
+                             | APR_SECUREROOT_TEST, r->pool)
+                    != APR_SUCCESS) {
+            return HTTP_FORBIDDEN;
+        }
+        r->canonical_filename == r->filename;
     }
     else {
        /*
@@ -2920,15 +2926,14 @@ AP_DECLARE_NONSTD(int) ap_core_translate(request_rec *r)
          * /'s in a row.  This happens under windows when the document
          * root ends with a /
          */
-        if ((conf->ap_document_root[strlen(conf->ap_document_root)-1] == '/')
-           && (*(r->uri) == '/')) {
-           r->filename = apr_pstrcat(r->pool, conf->ap_document_root, r->uri+1,
-                                    NULL);
-       }
-       else {
-           r->filename = apr_pstrcat(r->pool, conf->ap_document_root, r->uri,
-                                    NULL);
-       }
+        if (apr_filepath_merge(r->filename, conf->ap_document_root,
+                               r->uri + (*(r->uri) == '/') ? 1 : 0, 
+                               APR_FILEPATH_TRUENAME 
+                             | APR_SECUREROOT_TEST, r->pool)
+                    != APR_SUCCESS) {
+            return HTTP_FORBIDDEN;
+        }
+        r->canonical_filename == r->filename;
     }
 
     return OK;