From d3300f0b8defa02809f3d6501e33fcbdcbab5e96 Mon Sep 17 00:00:00 2001 From: Graham Leggett Date: Sun, 26 May 2013 19:43:23 +0000 Subject: [PATCH] mod_dav: Make sure that when we prepare an If URL for Etag comparison, we compare unencoded paths. PR 53910 trunk patch: http://svn.apache.org/r1470940 http://svn.apache.org/r1477530 Submitted by: Timothy Wood Reviewed by: minfrin, jim, jorton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1486454 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 3 +++ modules/dav/main/util.c | 11 ++++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 9ad48154b6..bda41f308e 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,9 @@ Changes with Apache 2.4.5 + *) mod_dav: Make sure that when we prepare an If URL for Etag comparison, + we compare unencoded paths. PR 53910 [Timothy Wood ] + *) 'AuthGroupFile' and 'AuthUserFile' do not accept anymore the optional 'standard' keyword . It was unused and not documented. PR54463 [Tianyin Xu and Christophe Jaillet] diff --git a/modules/dav/main/util.c b/modules/dav/main/util.c index aa08584102..ca82f9c54f 100644 --- a/modules/dav/main/util.c +++ b/modules/dav/main/util.c @@ -635,9 +635,18 @@ static dav_error * dav_process_if_header(request_rec *r, dav_if_header **p_ih) /* clean up the URI a bit */ ap_getparents(parsed_uri.path); + + /* the resources we will compare to have unencoded paths */ + if (ap_unescape_url(parsed_uri.path) != OK) { + return dav_new_error(r->pool, HTTP_BAD_REQUEST, + DAV_ERR_IF_TAGGED, rv, + "Invalid percent encoded URI in tagged If-header."); + } + uri_len = strlen(parsed_uri.path); - if (uri_len > 1 && parsed_uri.path[uri_len - 1] == '/') + if (uri_len > 1 && parsed_uri.path[uri_len - 1] == '/') { parsed_uri.path[--uri_len] = '\0'; + } uri = parsed_uri.path; list_type = tagged; -- 2.50.1