Am Dienstag, 13. August 2013, 13:34:49 schrieb Mike Rumph:
> The ProxyPass directive is processed by the add_pass_noregex
> function in mod_proxy.c. This calls add_pass which calls
> ap_proxy_add_worker in proxy_util.c. ap_proxy_add_worker passes an
> uninterpolated URL to apr_uri_parse() in apr-util/uri/apr_uri.c.
> This is true for both httpd 2.2.22 and httpd 2.2.25.
>
> As a result of the fix for bug 52479,
> apr_uri_parse no longer allows the interpolation characters (${}) to
> pass through cleanly.
>
> The patch I submitted will allow the characters to pass through.
>
> But perhaps it is not correct for mod_proxy to be passing
> uninterpolated URLs to apr_uri to begin with. Perhaps the mod_proxy
> interpolation code should be structured differently.
This means httpd depends on a bug in apr_uri_parse(). I don't think we
should re-introduce the bug, but fix httpd instead. If it needs to
call apr_uri_parse() before interpolation, it could convert the
special characters to strings that are acceptable in any URI part,
call apr_uri_parse(), and then convert the strings back. Maybe replace
'${' with __proxy_interpolate_start__ and '}' with
__proxy_interpolate_end__? Or create a random string and check that it
does not appear in the uri?
It would be nicer if httpd could call apr_uri_parse() only after
interpolation, but I don't know the relevant code and can't say if
that's feasible.
