This was never a 'vulnerability'... the APR_FILEPATH_SECUREROOT flag

  passed to apr_filepath_merge refused to merge any rooted 'addpath'.
  However, that isn't the traditional 1.3 behavior, so fly past any
  leading '/'s on the way to merging the uri to the DocumentRoot.

PR: 10946

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@96314 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index c77af67932db2fab16c98749809b81f064f448a1..a1a897fa18f918be99962b43278032a4ca03e4d3 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,8 @@
 Changes with Apache 2.0.40
 
+  *) Accept multiple leading /'s for requests within the DocumentRoot.
+     PR 10946  [William Rowe]
+
   *) Solved the reports of .pdf byterange failures on Win32 alone.
      APR's sendfile for the win32 platform collapses header and trailer
      buffers into a single buffer.  However, we destroyed the pointers

diff --git a/server/core.c b/server/core.c
index 09e47227614bc3d2ab6c2c155efb6ea72cbef56a..78f8eab27b5032478b2872479ff4c95cd29194ad 100644 (file)
--- a/server/core.c
+++ b/server/core.c
@@ -3076,9 +3076,16 @@ AP_DECLARE_NONSTD(int) ap_core_translate(request_rec *r)
         && !strncmp(r->uri, r->server->path, r->server->pathlen)
         && (r->server->path[r->server->pathlen - 1] == '/'
             || r->uri[r->server->pathlen] == '/'
-            || r->uri[r->server->pathlen] == '\0')) {
-        if (apr_filepath_merge(&r->filename, conf->ap_document_root,
-                               r->uri + r->server->pathlen,
+            || r->uri[r->server->pathlen] == '\0')) 
+    {
+        /* skip all leading /'s (e.g. http://localhost///foo) 
+         * so we are looking at only the relative path.
+         */
+        char *path = r->uri + r->server->pathlen;
+        while (*path == '/') {
+            ++*path;
+        }
+        if (apr_filepath_merge(&r->filename, conf->ap_document_root, path,
                                APR_FILEPATH_TRUENAME
                              | APR_FILEPATH_SECUREROOT, r->pool)
                     != APR_SUCCESS) {
@@ -3092,8 +3099,14 @@ AP_DECLARE_NONSTD(int) ap_core_translate(request_rec *r)
          * /'s in a row.  This happens under windows when the document
          * root ends with a /
          */
-        if (apr_filepath_merge(&r->filename, conf->ap_document_root,
-                               r->uri + ((*(r->uri) == '/') ? 1 : 0),
+        /* skip all leading /'s (e.g. http://localhost///foo) 
+         * so we are looking at only the relative path.
+         */
+        char *path = r->uri;
+        while (*path == '/') {
+            ++*path;
+        }
+        if (apr_filepath_merge(&r->filename, conf->ap_document_root, path,
                                APR_FILEPATH_TRUENAME
                              | APR_FILEPATH_SECUREROOT, r->pool)
                     != APR_SUCCESS) {