From: William A. Rowe Jr Date: Thu, 13 Dec 2001 17:22:20 +0000 (+0000) Subject: Apply the converse of the AcceptPathInfo patch for isapi's/cgi's. X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=aecd71feee6a919c71d6ec7f4712bcba8af9f3bc;p=apache Apply the converse of the AcceptPathInfo patch for isapi's/cgi's. The default behavior remains, accept PATH_INFO, but it may be expressly revoked with AcceptPathInfo Off git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@92452 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/arch/win32/mod_isapi.c b/modules/arch/win32/mod_isapi.c index d45502ad1d..53d183accb 100644 --- a/modules/arch/win32/mod_isapi.c +++ b/modules/arch/win32/mod_isapi.c @@ -362,6 +362,9 @@ apr_status_t isapi_handler (request_rec *r) if (r->finfo.filetype != APR_REG) return HTTP_FORBIDDEN; + if (r->path_info && *r->path_info && !r->used_path_info) + return HTTP_NOT_FOUND; + /* Load the isapi extention without caching (sconf == NULL) * but note that we will recover an existing cached module. */ diff --git a/modules/generators/mod_cgi.c b/modules/generators/mod_cgi.c index 07a8548864..9046bf38cf 100644 --- a/modules/generators/mod_cgi.c +++ b/modules/generators/mod_cgi.c @@ -583,6 +583,10 @@ static int cgi_handler(request_rec *r) return log_scripterror(r, conf, HTTP_FORBIDDEN, 0, "attempt to invoke directory as script"); + if (r->path_info && *r->path_info && !r->used_path_info) { + return log_scripterror(r, conf, HTTP_NOT_FOUND, 0, + "AcceptPathInfo off disallows user's path"); + } /* if (!ap_suexec_enabled) { if (!ap_can_exec(&r->finfo)) diff --git a/modules/generators/mod_cgid.c b/modules/generators/mod_cgid.c index c279b30e8f..637434eb8d 100644 --- a/modules/generators/mod_cgid.c +++ b/modules/generators/mod_cgid.c @@ -907,6 +907,11 @@ static int cgid_handler(request_rec *r) if (r->finfo.filetype == APR_DIR) return log_scripterror(r, conf, HTTP_FORBIDDEN, 0, "attempt to invoke directory as script"); + + if (r->path_info && *r->path_info && !r->used_path_info) { + return log_scripterror(r, conf, HTTP_NOT_FOUND, 0, + "AcceptPathInfo off disallows user's path"); + } /* if (!ap_suexec_enabled) { if (!ap_can_exec(&r->finfo))