From fe995aa9af037bb29cb8e36ffebc20b81360fa1d Mon Sep 17 00:00:00 2001
From: "William A. Rowe Jr" <wrowe@apache.org>
Date: Tue, 6 Aug 2002 16:27:36 +0000
Subject: [PATCH]   This was never a 'vulnerability'... the
 APR_FILEPATH_SECUREROOT flag   passed to apr_filepath_merge refused to merge
 any rooted 'addpath'.   However, that isn't the traditional 1.3 behavior, so
 fly past any   leading '/'s on the way to merging the uri to the
 DocumentRoot.

PR: 10946


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@96314 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES       |  3 +++
 server/core.c | 23 ++++++++++++++++++-----
 2 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index c77af67932..a1a897fa18 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,8 @@
 Changes with Apache 2.0.40
 
+  *) Accept multiple leading /'s for requests within the DocumentRoot.
+     PR 10946  [William Rowe]
+
   *) Solved the reports of .pdf byterange failures on Win32 alone.
      APR's sendfile for the win32 platform collapses header and trailer
      buffers into a single buffer.  However, we destroyed the pointers
diff --git a/server/core.c b/server/core.c
index 09e4722761..78f8eab27b 100644
--- a/server/core.c
+++ b/server/core.c
@@ -3076,9 +3076,16 @@ AP_DECLARE_NONSTD(int) ap_core_translate(request_rec *r)
         && !strncmp(r->uri, r->server->path, r->server->pathlen)
         && (r->server->path[r->server->pathlen - 1] == '/'
             || r->uri[r->server->pathlen] == '/'
-            || r->uri[r->server->pathlen] == '\0')) {
-        if (apr_filepath_merge(&r->filename, conf->ap_document_root,
-                               r->uri + r->server->pathlen,
+            || r->uri[r->server->pathlen] == '\0')) 
+    {
+        /* skip all leading /'s (e.g. http://localhost///foo) 
+         * so we are looking at only the relative path.
+         */
+        char *path = r->uri + r->server->pathlen;
+        while (*path == '/') {
+            ++*path;
+        }
+        if (apr_filepath_merge(&r->filename, conf->ap_document_root, path,
                                APR_FILEPATH_TRUENAME
                              | APR_FILEPATH_SECUREROOT, r->pool)
                     != APR_SUCCESS) {
@@ -3092,8 +3099,14 @@ AP_DECLARE_NONSTD(int) ap_core_translate(request_rec *r)
          * /'s in a row.  This happens under windows when the document
          * root ends with a /
          */
-        if (apr_filepath_merge(&r->filename, conf->ap_document_root,
-                               r->uri + ((*(r->uri) == '/') ? 1 : 0),
+        /* skip all leading /'s (e.g. http://localhost///foo) 
+         * so we are looking at only the relative path.
+         */
+        char *path = r->uri;
+        while (*path == '/') {
+            ++*path;
+        }
+        if (apr_filepath_merge(&r->filename, conf->ap_document_root, path,
                                APR_FILEPATH_TRUENAME
                              | APR_FILEPATH_SECUREROOT, r->pool)
                     != APR_SUCCESS) {
-- 
2.40.0