* modules/dav/main/mod_dav.c (dav_handler): Reject request if the

Request-URI includes a fragment part, i.e. an unescaped #.

PR: 21779
Submitted by: Amit Athavale <amit_athavale@lycos.com>

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@102224 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 18794ebec82bc664178f0348c905be76fd4d6827..d7b0ac4d99fe80a6c7900ec37ea66841ba604acc 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,9 @@ Changes with Apache 2.1.0-dev
 
   [Remove entries to the current 2.0 section below, when backported]
 
+  *) mod_dav: Disallow requests with an unescaped hash character in
+     the Request-URI.  PR 21779.  Amit Athavale <amit_athavale lycos.com>
+
   *) Add forensic logging module (mod_log_forensic).
      [Ben Laurie]
 

diff --git a/modules/dav/main/mod_dav.c b/modules/dav/main/mod_dav.c
index a55844a2e6aa12a9231436c54a2481d08f3faa96..11dad343d8beaf04ccf1037fca8661228e8e4f44 100644 (file)
--- a/modules/dav/main/mod_dav.c
+++ b/modules/dav/main/mod_dav.c
@@ -4563,6 +4563,16 @@ static int dav_handler(request_rec *r)
     if (strcmp(r->handler, DAV_HANDLER_NAME) != 0)
         return DECLINED;
 
+    /* Reject requests with an unescaped hash character, as these may
+     * be more destructive than the user intended. */
+    if (r->parsed_uri.fragment != NULL) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                     "buggy client used un-escaped hash in Request-URI");
+        return dav_error_response(r, HTTP_BAD_REQUEST, 
+                                  "The request was invalid: the URI included "
+                                  "an un-escaped hash character");
+    }
+
     /* ### do we need to do anything with r->proxyreq ?? */
 
     /*