mod_dav: Make sure that when we prepare an If URL for Etag comparison,

we compare unencoded paths. PR 53910

trunk patch: http://svn.apache.org/r1470940
             http://svn.apache.org/r1477530
Submitted by: Timothy Wood <tjw omnigroup.com>
Reviewed by: minfrin, jim, jorton

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1486454 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 9ad48154b6f16612a11fa14bdfaf56326417097c..bda41f308e6b74862ab1cf0340b42216900a1e8d 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,9 @@
 
 Changes with Apache 2.4.5
 
+  *) mod_dav: Make sure that when we prepare an If URL for Etag comparison,
+     we compare unencoded paths. PR 53910 [Timothy Wood <tjw omnigroup.com>]
+
   *) 'AuthGroupFile' and 'AuthUserFile' do not accept anymore the optional
      'standard' keyword . It was unused and not documented.
      PR54463 [Tianyin Xu <tixu cs.ucsd.edu> and Christophe Jaillet]

diff --git a/modules/dav/main/util.c b/modules/dav/main/util.c
index aa0858410295f438e23370e255c7d1fcc2165dc4..ca82f9c54f1738b11a41f05f41ef074079e95d3c 100644 (file)
--- a/modules/dav/main/util.c
+++ b/modules/dav/main/util.c
@@ -635,9 +635,18 @@ static dav_error * dav_process_if_header(request_rec *r, dav_if_header **p_ih)
 
             /* clean up the URI a bit */
             ap_getparents(parsed_uri.path);
+
+            /* the resources we will compare to have unencoded paths */
+            if (ap_unescape_url(parsed_uri.path) != OK) {
+                return dav_new_error(r->pool, HTTP_BAD_REQUEST,
+                        DAV_ERR_IF_TAGGED, rv,
+                        "Invalid percent encoded URI in tagged If-header.");
+            }
+
             uri_len = strlen(parsed_uri.path);
-            if (uri_len > 1 && parsed_uri.path[uri_len - 1] == '/')
+            if (uri_len > 1 && parsed_uri.path[uri_len - 1] == '/') {
                 parsed_uri.path[--uri_len] = '\0';
+            }
 
             uri = parsed_uri.path;
             list_type = tagged;