core: AP_NORMALIZE_DECODE_UNRESERVED should normalize the second encoded dot.

Otherwise ap_normalize_path() can leave some "%2e" encoded. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1893724 13f79535-47bb-0310-9956-ffa450edef68
author: Yann Ylavic <ylavic@apache.org> 2021-09-29 14:35:25 +0200
committer: Yann Ylavic <ylavic@apache.org> 2021-09-29 14:35:25 +0200
commit: e150697086e70c552b2588f369f2d17815cb1782 (patch)
tree: 3308f1e6749ecf30e44054da70a228f9a8518eac /server/util.c
parent: Clarify where the element can be obtained. (diff)
download: apache2-e150697086e70c552b2588f369f2d17815cb1782.tar.xz
apache2-e150697086e70c552b2588f369f2d17815cb1782.zip
1 files changed, 15 insertions, 5 deletions
diff --git a/server/util.c b/server/util.c
index d56af38767..87412eb97c 100644
--- a/server/util.c
+++ b/server/util.c
@@ -503,7 +503,8 @@ static char x2c(const char *what);
 AP_DECLARE(int) ap_normalize_path(char *path, unsigned int flags)
 {
     int ret = 1;
-    apr_size_t l = 1, w = 1;
+    apr_size_t l = 1, w = 1, n;
+    int decode_unreserved = (flags & AP_NORMALIZE_DECODE_UNRESERVED) != 0;
 
     if (!IS_SLASH(path[0])) {
         /* Besides "OPTIONS *", a request-target should start with '/'
@@ -530,7 +531,7 @@ AP_DECLARE(int) ap_normalize_path(char *path, unsigned int flags)
          *  be decoded to their corresponding unreserved characters by
          *  URI normalizers.
          */
-        if ((flags & AP_NORMALIZE_DECODE_UNRESERVED)
+        if (decode_unreserved
                 && path[l] == '%' && apr_isxdigit(path[l + 1])
                                   && apr_isxdigit(path[l + 2])) {
             const char c = x2c(&path[l + 1]);
@@ -568,8 +569,17 @@ AP_DECLARE(int) ap_normalize_path(char *path, unsigned int flags)
                     continue;
                 }
 
-                /* Remove /xx/../ segments */
-                if (path[l + 1] == '.' && IS_SLASH_OR_NUL(path[l + 2])) {
+                /* Remove /xx/../ segments (or /xx/.%2e/ when
+                 * AP_NORMALIZE_DECODE_UNRESERVED is set since we
+                 * decoded only the first dot above).
+                 */
+                n = l + 1;
+                if ((path[n] == '.' || (decode_unreserved
+                                        && path[n] == '%'
+                                        && path[++n] == '2'
+                                        && (path[++n] == 'e'
+                                            || path[n] == 'E')))
+                        && IS_SLASH_OR_NUL(path[n + 1])) {
                     /* Wind w back to remove the previous segment */
                     if (w > 1) {
                         do {
@@ -586,7 +596,7 @@ AP_DECLARE(int) ap_normalize_path(char *path, unsigned int flags)
                     }
 
                     /* Move l forward to the next segment */
-                    l += 2;
+                    l = n + 1;
                     if (path[l]) {
                         l++;
                     }
author	Yann Ylavic <ylavic@apache.org>	2021-09-29 14:35:25 +0200
committer	Yann Ylavic <ylavic@apache.org>	2021-09-29 14:35:25 +0200
commit	e150697086e70c552b2588f369f2d17815cb1782 (patch)
tree	3308f1e6749ecf30e44054da70a228f9a8518eac /server/util.c
parent	Clarify where the element can be obtained. (diff)
download	apache2-e150697086e70c552b2588f369f2d17815cb1782.tar.xz apache2-e150697086e70c552b2588f369f2d17815cb1782.zip