From dc55d74fe008b846bf351c454f88d50b85c81dfa Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Mon, 22 Jun 2020 10:35:50 +0000
Subject: Validate request-target per RFC 7230 section 5.3.

RFC 7230 requires that the request-line URI be absolute, besides
"CONNECT authority-form" and "OPTIONS asterisk-form".

Enforce it in ap_parse_request_line().



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1879078 13f79535-47bb-0310-9956-ffa450edef68
---
 server/protocol.c | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

(limited to 'server/protocol.c')

diff --git a/server/protocol.c b/server/protocol.c
index fcfe9ac195..7b2449650f 100644
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -640,8 +640,15 @@ AP_CORE_DECLARE(void) ap_parse_uri(request_rec *r, const char *uri)
         }
 
         r->args = r->parsed_uri.query;
-        r->uri = r->parsed_uri.path ? r->parsed_uri.path
-                 : apr_pstrdup(r->pool, "/");
+        if (r->parsed_uri.path) {
+            r->uri = r->parsed_uri.path;
+        }
+        else if (r->method_number == M_OPTIONS) {
+            r->uri = apr_pstrdup(r->pool, "*");
+        }
+        else {
+            r->uri = apr_pstrdup(r->pool, "/");
+        }
 
 #if defined(OS2) || defined(WIN32)
         /* Handle path translations for OS/2 and plug security hole.
@@ -905,6 +912,14 @@ rrl_done:
         r->header_only = 1;
 
     ap_parse_uri(r, uri);
+    if (r->status == HTTP_OK
+            && (r->parsed_uri.path != NULL)
+            && (r->parsed_uri.path[0] != '/')
+            && (r->method_number != M_OPTIONS
+                || strcmp(r->parsed_uri.path, "*") != 0)) {
+        /* Invalid request-target per RFC 7230 section 5.3 */
+        r->status = HTTP_BAD_REQUEST;
+    }
 
     /* With the request understood, we can consider HTTP/0.9 specific errors */
     if (r->proto_num == HTTP_VERSION(0, 9) && deferred_error == rrl_none) {
-- 
cgit v1.2.3