On Mon, Jun 22, 2020 at 11:20 AM jean-frederic clere <jfcl...@gmail.com> wrote: > > On 19/06/2020 12:02, Yann Ylavic wrote: > > On Thu, Jun 18, 2020 at 6:37 PM jean-frederic clere <jfcl...@gmail.com> > > wrote: > >> > >> ProxyMappingDecoded Off > >> ProxyPass /test ajp://localhost:8009/test secret=%A1b2!@ mapping=servlet > > [] > >> what is going wrong with > >> "http://localhost:8000/docs/..;food=bar/test;food=bar/index.jsp"; > >> same for "curl -v --path-as-is > >> "http://localhost:8000/test;food=bar/index.jsp"; > > > > Good catch, should be fixed with > > https://github.com/apache/httpd/compare/491a115344e37df21996f323eefd16136d278360..d9f12223ba45e520dd018baf7be084809d531d81 > > Latest version of the PR should be OK. > > > > Now it results in: ajp://localhost:8009/test;food=bar/index.jsp > > We keep the path parameters since the alias (/test) does not end with '/'. > > Cool fixed.
Thanks for testing. > > > > >> > >> ProxyMappingDecoded On > >> ProxyPass /test ajp://localhost:8009/test secret=%A1b2!@ > >> mapping=servlet 404 httpd. > >> > >> ProxyMappingDecoded On > >> ProxyPass /test ajp://localhost:8009/test secret=%A1b2!@ 404 httpd. > > > > Hmm, I can't reproduce these ones, they do not take the > > alias_match_servlet() path and should not be affected by my changes. > > Can you still reproduce with the latest version? I made somes pushes > > yesterday, perhaps a transient invalid state... > > In fact I was screwing it, sorryt: > > But there is still something I want to prevent: > ProxyPass /docs ajp://localhost:8009/docs > and url like: > curl -v --path-as-is "http://localhost:8000/docs/..;food=bar/test/index.jsp"; > How do we do that? Do we want a 400 for that? (my proposal do that :-)). Why would we 400? Either there is a mapping for /test[/] and we'll be OK, or there is none we'll be DECLINED. The 400 will come only if no module handles the URI, and if the default_handler() finds no "docs/..;food=bar/test/index.jsp" in the path (where "..;foo=bar" is not considered a directory traversal in this case). On my system, this runs smoothly: $ mkdir -p 'docs/..;foo=bar/test' $ touch 'docs/..;foo=bar/test/index.php' $ ls 'docs/..;foo=bar/test/index.php' 'docs/..;foo=bar/test/index.php' Regards; Yann.
