On 10/7/21 2:27 PM, yla...@apache.org wrote:
> Author: ylavic
> Date: Thu Oct 7 12:27:43 2021
> New Revision: 1893977
>
> URL: http://svn.apache.org/viewvc?rev=1893977=rev
> Log:
> Merge r1893971 from trunk:
>
> core: Add ap_unescape_url_ex() for better decoding control, and deprecate
> unused AP_NORMALIZE_DROP_PARAMETERS flag.
>
> Submitted by: ylavic
> Reviewed by: ylavic, icing, gbechis
>
> Modified:
> httpd/httpd/branches/2.4.x/ (props changed)
> httpd/httpd/branches/2.4.x/CHANGES
> httpd/httpd/branches/2.4.x/include/ap_mmn.h
> httpd/httpd/branches/2.4.x/include/httpd.h
> httpd/httpd/branches/2.4.x/server/gen_test_char.c
> httpd/httpd/branches/2.4.x/server/request.c
> httpd/httpd/branches/2.4.x/server/util.c
>
> Propchange: httpd/httpd/branches/2.4.x/
> --
> Merged /httpd/httpd/trunk:r1893971
>
> Modified: httpd/httpd/branches/2.4.x/CHANGES
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1893977=1893976=1893977=diff
> ==
> --- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
> +++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Thu Oct 7 12:27:43 2021
> @@ -1,6 +1,10 @@
> -*- coding: utf-8
> -*-
> Changes with Apache 2.4.51
>
> + *) core: Add ap_unescape_url_ex() for better decoding control, and
> deprecate
> + unused AP_NORMALIZE_DROP_PARAMETERS flag.
> + [Yann Ylavic, Ruediger Pluem, Stefan Eissing, Joe Orton]
> +
> Changes with Apache 2.4.50
>
>*) SECURITY: CVE-2021-41773: Path traversal and file disclosure
>
> Modified: httpd/httpd/branches/2.4.x/include/ap_mmn.h
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/include/ap_mmn.h?rev=1893977=1893976=1893977=diff
> ==
> --- httpd/httpd/branches/2.4.x/include/ap_mmn.h (original)
> +++ httpd/httpd/branches/2.4.x/include/ap_mmn.h Thu Oct 7 12:27:43 2021
> @@ -579,6 +579,9 @@
> * ap_proxy_define_worker_ex() to mod_proxy.h
> * 20120211.116 (2.4.49-dev) add conn_rec->outgoing and
> ap_ssl_bind_outgoing()
> * 20120211.117 (2.4.50-dev) Add ap_pre_connection
> + * 20210926.1 (2.5.1-dev) Add ap_unescape_url_ex() and deprecate
> + * AP_NORMALIZE_DROP_PARAMETERS
> + *
> */
>
This is wrong and needs fixing. I have the below fix in my working copy that I
can commit instantly:
Index: include/ap_mmn.h
===
--- include/ap_mmn.h(revision 1893979)
+++ include/ap_mmn.h(working copy)
@@ -579,7 +579,7 @@
* ap_proxy_define_worker_ex() to mod_proxy.h
* 20120211.116 (2.4.49-dev) add conn_rec->outgoing and ap_ssl_bind_outgoing()
* 20120211.117 (2.4.50-dev) Add ap_pre_connection
- * 20210926.1 (2.5.1-dev) Add ap_unescape_url_ex() and deprecate
+ * 20120211.118 (2.4.51-dev) Add ap_unescape_url_ex() and deprecate
* AP_NORMALIZE_DROP_PARAMETERS
*
*/
@@ -589,7 +589,7 @@
#ifndef MODULE_MAGIC_NUMBER_MAJOR
#define MODULE_MAGIC_NUMBER_MAJOR 20120211
#endif
-#define MODULE_MAGIC_NUMBER_MINOR 117 /* 0...n */
+#define MODULE_MAGIC_NUMBER_MINOR 118 /* 0...n */
/**
* Determine if the server's current MODULE_MAGIC_NUMBER is at least a
Regards
RĂ¼diger
> #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */
>
> Modified: httpd/httpd/branches/2.4.x/include/httpd.h
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/include/httpd.h?rev=1893977=1893976=1893977=diff
> ==
> --- httpd/httpd/branches/2.4.x/include/httpd.h (original)
> +++ httpd/httpd/branches/2.4.x/include/httpd.h Thu Oct 7 12:27:43 2021
> @@ -1741,6 +1741,18 @@ AP_DECLARE(int) ap_unescape_url(char *ur
> */
> AP_DECLARE(int) ap_unescape_url_keep2f(char *url, int decode_slashes);
>
> +#define AP_UNESCAPE_URL_KEEP_UNRESERVED (1u << 0)
> +#define AP_UNESCAPE_URL_FORBID_SLASHES (1u << 1)
> +#define AP_UNESCAPE_URL_KEEP_SLASHES(1u << 2)
> +
> +/**
> + * Unescape a URL, with options
> + * @param url The url to unescape
> + * @param flags Bitmask of AP_UNESCAPE_URL_* flags
> + * @return 0 on success, non-zero otherwise
> + */
> +AP_DECLARE(int) ap_unescape_url_ex(char *url, unsigned int flags);
> +
> /**
> * Unescape an application/x-www-form-urlencoded string
> * @param query The query to unescape
> @@ -1768,7 +1780,7 @@ AP_DECLARE(void) ap_no2slash_ex(char *na
> #define AP_NORMALIZE_NOT_ABOVE_ROOT (1u << 1)
> #define AP_NORMALIZE_DECODE_UNRESERVED (1u << 2)
> #define AP_NORMALIZE_MERGE_SLASHES (1u << 3)
> -#define AP_NORMALIZE_DROP_PARAMETERS(1u << 4)
> +#define