On Sat, Jun 13, 2020 at 11:18 AM jean-frederic clere <jfcl...@gmail.com> wrote: > > On 11/06/2020 13:50, Yann Ylavic wrote: > > On Thu, Jun 11, 2020 at 1:22 PM Yann Ylavic <ylavic....@gmail.com> wrote: > >> > >> On Thu, Jun 11, 2020 at 9:57 AM Yann Ylavic <ylavic....@gmail.com> wrote: > >>> > >>> On Thu, Jun 11, 2020 at 9:50 AM Yann Ylavic <ylavic....@gmail.com> wrote: > >>>> > >>>> We need a way to forward non %-decoded URLs upto mod_proxy (reverse) > >>>> if we want to normalize a second time.. > >>> > >>> IOW, this block in ap_process_request_internal(): > >> [snip] > >>> Should go _after_ the following: > >> [snip] > >> > >> Or we could introduce a new pre_translate_name hook which would > >> execute before %-decoding, and be used by mod_proxy when > >> "ProxyPreTranslation on" is configured, and be a prerequisite for > >> mapping=servlet. > >> > >> I find ProxyPreTranslation also useful for the non-servlet case btw. > >> > >> Something like this attached v2 patch. > > > > Here is a v3 with the relevant pre_translate_name hooks only and > > ap_getparents() preserved when the URI does not start with '/' (which > > makes the patch read better too). > > with this patch, how to I get: > curl -v --path-as-is "http://localhost:8000/docs/..;food=bar/test/index.jsp > > Mapped to > ProxyPass /test ajp://localhost:8009/test secret=%A1b2!@ > Or rejected in case I have only: > ProxyPass /docs ajp://localhost:8009/docs secret=%A1b2!@
Right sorry, it does not work with patch v3, I mainly focused on the "decode at the right place" part of the issue, which is not your point.. I just staged a more complete proposal in https://github.com/apache/httpd/pull/128 For the proxy servlet part, I think that we need a dedicated alias_match() for servlet mapping (called alias_match_servlet() in the PR), we can't normalize and match separately or the matched length is completely off wrt the original URI-path. Can you please try with the patches there? (the last is not really necessary, it's just to complete the PR should this be merged). You need to set: ProxyMappingDecoded off in your vhost (or directory) for servlet mapping to be active, with a ProxyPass like: ProxyPass /good/ http://127.0.0.1:80/good/ mapping=servlet I tried with paths like "/bad/..;foo=bar/.;foo=bar//other;foo=bar//..;foo=bar/good;foo1=bar1/;foo2=bar2/.;foo3=bar3///./index.html" which results in "/good/;foo2=bar2/.;foo3=bar3///./index.html" being forwarded, still things that shouldn't be seem to be declined. The code in alias_match_servlet() is not really simple, but neither is servlet mapping.. Regards; Yann.
