From 029da7dc7b05a611397462ca97a980725b9cfd08 Mon Sep 17 00:00:00 2001
From: "William A. Rowe Jr" <wrowe@apache.org>
Date: Thu, 21 Mar 2002 05:28:14 +0000
Subject: [PATCH]   Correct our list of escape characters to include percent
 and the   carriage return on Win32/OS2, and modify the \r \n escaping to
 account   for the fact that Win32/OS2 don't pass these characters through a
 true   argv[] mechansim; replace them with a whitespace since they
 effectively   are for most applications.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94070 13f79535-47bb-0310-9956-ffa450edef68
---
 server/gen_test_char.c | 18 ++++++++++++++++++
 server/util.c          | 17 ++++++++++-------
 2 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/server/gen_test_char.c b/server/gen_test_char.c
index e85106f2e1..9b62163e87 100644
--- a/server/gen_test_char.c
+++ b/server/gen_test_char.c
@@ -110,6 +110,24 @@ int main(int argc, char *argv[])
             flags |= T_ESCAPE_PATH_SEGMENT;
         }
 
+#if defined(WIN32) || defined(OS2)
+        /* Win32/OS2 have many of the same vulnerable characters
+         * as Unix sh, plus the carriage return and percent char.
+         * The proper escaping of these characters varies from unix
+         * since Win32/OS2 use carets or doubled-double quotes, 
+         * and neither lf nor cr can be escaped.  We escape unix 
+         * specific as well, to assure that cross-compiled unix 
+         * applications behave similiarly when invoked on win32/os2.
+         */
+        if (strchr("&;`'\"|*?~<>^()[]{}$\\\n\r%", c)) {
+ 	    flags |= T_ESCAPE_SHELL_CMD;
+ 	}
+#else
+        if (strchr("&;`'\"|*?~<>^()[]{}$\\\n", c)) {
+	    flags |= T_ESCAPE_SHELL_CMD;
+	}
+#endif
+
         if (!apr_isalnum(c) && !strchr("$-_.+!*'(),:@&=/~", c)) {
             flags |= T_OS_ESCAPE_PATH;
         }
diff --git a/server/util.c b/server/util.c
index b60a3a760c..3885786520 100644
--- a/server/util.c
+++ b/server/util.c
@@ -1454,12 +1454,15 @@ AP_DECLARE(char *) ap_escape_shell_cmd(apr_pool_t *p, const char *str)
     for (; *s; ++s) {
 
 #if defined(OS2) || defined(WIN32)
-	/* Don't allow '&' in parameters under OS/2. */
-	/* This can be used to send commands to the shell. */
-	if (*s == '&') {
-	    *d++ = ' ';
-	    continue;
-	}
+        /* 
+         * Newlines to Win32/OS2 CreateProcess() are ill advised.
+         * Convert them to spaces since they are effectively white
+         * space to most applications
+         */
+        if (*s == '\r' || *s == '\n') {
+ 	    *d++ = ' ';
+ 	    continue;
+ 	}
 #endif
 
 	if (TEST_CHAR(*s, T_ESCAPE_SHELL_CMD)) {
@@ -1498,7 +1501,7 @@ static char x2c(const char *what)
  * Failure is due to
  *   bad % escape       returns HTTP_BAD_REQUEST
  *
- *   decoding %00 -> \0
+ *   decoding %00 -> \0  (the null character)
  *   decoding %2f -> /   (a special character)
  *                      returns HTTP_NOT_FOUND
  */
-- 
2.40.0