Correct our list of escape characters to include percent and the

  carriage return on Win32/OS2, and modify the \r \n escaping to account
  for the fact that Win32/OS2 don't pass these characters through a true
  argv[] mechansim; replace them with a whitespace since they effectively
  are for most applications.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94070 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/server/gen_test_char.c b/server/gen_test_char.c
index e85106f2e15328fb50df959437290199e69e5825..9b62163e8714cafef6ef772e5bd5a58ab0617fb2 100644 (file)
--- a/server/gen_test_char.c
+++ b/server/gen_test_char.c
@@ -110,6 +110,24 @@ int main(int argc, char *argv[])
             flags |= T_ESCAPE_PATH_SEGMENT;
         }
 
+#if defined(WIN32) || defined(OS2)
+        /* Win32/OS2 have many of the same vulnerable characters
+         * as Unix sh, plus the carriage return and percent char.
+         * The proper escaping of these characters varies from unix
+         * since Win32/OS2 use carets or doubled-double quotes, 
+         * and neither lf nor cr can be escaped.  We escape unix 
+         * specific as well, to assure that cross-compiled unix 
+         * applications behave similiarly when invoked on win32/os2.
+         */
+        if (strchr("&;`'\"|*?~<>^()[]{}$\\\n\r%", c)) {
+           flags |= T_ESCAPE_SHELL_CMD;
+       }
+#else
+        if (strchr("&;`'\"|*?~<>^()[]{}$\\\n", c)) {
+           flags |= T_ESCAPE_SHELL_CMD;
+       }
+#endif
+
         if (!apr_isalnum(c) && !strchr("$-_.+!*'(),:@&=/~", c)) {
             flags |= T_OS_ESCAPE_PATH;
         }

diff --git a/server/util.c b/server/util.c
index b60a3a760c5a222dc0d87308feb324871c655cf3..3885786520e563760d0f1ea805bba71b358e6c2d 100644 (file)
--- a/server/util.c
+++ b/server/util.c
@@ -1454,12 +1454,15 @@ AP_DECLARE(char *) ap_escape_shell_cmd(apr_pool_t *p, const char *str)
     for (; *s; ++s) {
 
 #if defined(OS2) || defined(WIN32)
-       /* Don't allow '&' in parameters under OS/2. */
-       /* This can be used to send commands to the shell. */
-       if (*s == '&') {
-           *d++ = ' ';
-           continue;
-       }
+        /* 
+         * Newlines to Win32/OS2 CreateProcess() are ill advised.
+         * Convert them to spaces since they are effectively white
+         * space to most applications
+         */
+        if (*s == '\r' || *s == '\n') {
+           *d++ = ' ';
+           continue;
+       }
 #endif
 
        if (TEST_CHAR(*s, T_ESCAPE_SHELL_CMD)) {
@@ -1498,7 +1501,7 @@ static char x2c(const char *what)
  * Failure is due to
  *   bad % escape       returns HTTP_BAD_REQUEST
  *
- *   decoding %00 -> \0
+ *   decoding %00 -> \0  (the null character)
  *   decoding %2f -> /   (a special character)
  *                      returns HTTP_NOT_FOUND
  */