Re: svn commit: r490142 - /httpd/httpd/trunk/modules/mappers/mod_alias.c

2006-12-25 Thread Ruediger Pluem 


On 12/25/2006 01:06 PM,  wrote:
 Author: niq
 Date: Mon Dec 25 04:06:33 2006
 New Revision: 490142
 
 URL: http://svn.apache.org/viewvc?view=revrev=490142
 Log:
 PR#35314: Enable path components in Redirect
 
 Modified:
 httpd/httpd/trunk/modules/mappers/mod_alias.c
 
 Modified: httpd/httpd/trunk/modules/mappers/mod_alias.c
 URL: 
 http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/mappers/mod_alias.c?view=diffrev=490142r1=490141r2=490142
 ==
 --- httpd/httpd/trunk/modules/mappers/mod_alias.c (original)
 +++ httpd/httpd/trunk/modules/mappers/mod_alias.c Mon Dec 25 04:06:33 2006
 @@ -204,7 +204,10 @@
  if (ap_is_HTTP_REDIRECT(status)) {
  if (!url)
  return URL to redirect to is missing;
 -if (!use_regex  !ap_is_url(url))
 +/* PR#35314: we can allow path components here;
 + * they get correctly resolved to full URLs.

Where? A quick check shows that the resulting Location header has no scheme and 
host in front.
AFAICT this violates 14.30 of RFC2616 as the value of a Location header must be 
an absoluteURI
or better absolute-URI as defined in 4.3 of RFC3986.
Of course you can already create invalid Location headers with RedirectMatch. 
So it might make
sense to check the validity of a Location header after applying a 
Redirect(Match) to a request
to ensure that it results in an absolute-URI and maybe fix it if it does not 
seem to be one.

Regards

RĂ¼diger

Re: svn commit: r490142 - /httpd/httpd/trunk/modules/mappers/mod_alias.c

2006-12-25 Thread Nick Kew 

On 25 Dec 2006, at 22:59, Ruediger Pluem wrote:




-if (!use_regex  !ap_is_url(url))
+/* PR#35314: we can allow path components here;
+ * they get correctly resolved to full URLs.


Where? A quick check shows that the resulting Location header has  
no scheme and host in front.
AFAICT this violates 14.30 of RFC2616 as the value of a Location  
header must be an absoluteURI

or better absolute-URI as defined in 4.3 of RFC3986.


What kind of a quick check?  I ran a case with leading slash, both from
httpd.conf and .htaccess, expecting to see broken Location headers which
I was then going to fix at the point where they're generated (which  
can't

be at config-time because we don't always have a server name at
that point).  But it returned full, valid and correct Location headers
to the client without me doing anything.  Hence the trivial change
and comment.

Of course you can already create invalid Location headers with  
RedirectMatch. So it might make
sense to check the validity of a Location header after applying a  
Redirect(Match) to a request
to ensure that it results in an absolute-URI and maybe fix it if it  
does not seem to be one.


I guessed a fix for that was responsible for the correct headers I saw.

--
Nick Kew