Hi,
Attached is the patch for fix of PR#21779.
I am not sure whether I have added that code at best/ideal place, so please review it
and let me know if there is another place where I can put that check.
Thanks
Amit.A.
____________________________________________________________
Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail!
http://login.mail.lycos.com/r/referral?aid=27005
Index: mod_dav.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/dav/main/mod_dav.c,v
retrieving revision 1.101
diff -u -r1.101 mod_dav.c
--- mod_dav.c 25 Nov 2003 14:17:55 -0000 1.101
+++ mod_dav.c 1 Jan 2004 09:22:41 -0000
@@ -4563,6 +4563,20 @@
if (strcmp(r->handler, DAV_HANDLER_NAME) != 0)
return DECLINED;
+ /* At this point, we can safely assume that mod_dav is going to handle
+ * this request. So we can check existence of un-escaped # by checking
+ * URI fragment and reject requests with un-escaped # to avoid nasty results
+ */
+ if(r->parsed_uri.fragment != NULL){
+ ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, NULL,
+ "Faulty client : Un-escaped '#' detected in request URI");
+ ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, NULL,
+ "Denying the request to avoid nasty results");
+ return dav_error_response(r, HTTP_FORBIDDEN, "Faulty client : "
+ "Un-escaped hash character detected in"
+ "request URI");
+ }
+
/* ### do we need to do anything with r->proxyreq ?? */
/*
