Hi Gregg, On Sat, Jun 24, 2017 at 7:49 AM, <gsm...@apache.org> wrote: > Author: gsmith > Date: Sat Jun 24 05:49:45 2017 > New Revision: 1799731 > > URL: http://svn.apache.org/viewvc?rev=1799731&view=rev > Log: > Send a 404 response like other OSs do instead of 403 on Windows when > a path segment or file requested uses a reserved word so Windows > cannot be fingerprinted. PR55887 > > Modified: > httpd/httpd/trunk/server/request.c > > Modified: httpd/httpd/trunk/server/request.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/server/request.c?rev=1799731&r1=1799730&r2=1799731&view=diff > ============================================================================== > --- httpd/httpd/trunk/server/request.c (original) > +++ httpd/httpd/trunk/server/request.c Sat Jun 24 05:49:45 2017 > @@ -1211,10 +1211,25 @@ AP_DECLARE(int) ap_directory_walk(reques > break; > } > else if (thisinfo.filetype != APR_DIR) { > +#ifdef _WIN32 > + ap_regex_t *preg; > +#endif > ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00038) > "Forbidden: %s doesn't point to " > "a file or directory", > r->filename); > +#ifdef _WIN32 > + /* Windows has a number of reserved words that cannot be used > + * as a file or directory name so thisinfo.filetype will > + * always be != APR_DIR. Don't allow us be fingerprinted with > + * a 403 and instead send a 404 like other OSs would. PR55887 > + */ > + preg = ap_pregcomp(r->pool, > + > "/(aux|con|com[1-9]|lpt[1-9]|nul|prn)" > + "($|/|.)", > AP_REG_EXTENDED | AP_REG_ICASE);
Couldn't we compile this regexp once at load time (e.g. a static preg at pre/post_config)? > + if (ap_regexec(preg, r->uri, 0, NULL, 0) == 0) > + return r->status = HTTP_NOT_FOUND; > +#endif > return r->status = HTTP_FORBIDDEN; > } Regards, Yann.