Rainer, On 10/23/2011 12:19 PM, [email protected] wrote: > +/* > + * Find the first occurrence of path in uri tokenized by "/". > + * The comparison is done case insensitive. > + */ > +static const char *find_path_in_uri(const char *uri, const char *path) > +{ > + size_t len = strlen(path); > + while (uri = strchr(uri, '/')) {
I think "//" in a URL will cause this loop to exit early, possibly
avoiding this security check.
> + uri++;
> + if (!strncmp(uri, path, len) &&
strncmp doesn't use case-insensitive compare: will this ever match if
you use "web-inf" (as below)?
> + (*(uri + len) == '/' ||
> + strlen(uri) == len)) {
> + return uri;
> + }
> + }
> + return NULL;
> +}
> +
> static int uri_is_web_inf(const char *uri)
> {
> - if (stristr(uri, "/web-inf")) {
> + if (find_path_in_uri(uri, "web-inf")) {
> return JK_TRUE;
This will return JK_TRUE if "web-inf" occurs at any place in the path,
not just at the context level. Is that a problem? I can imagine that a
request for /context/foo/WEB-INF/something might be valid.
-chris
signature.asc
Description: OpenPGP digital signature
