RE: [mod-security-users] REQUEST_URI decodes URI before running checks
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
RE: [mod-security-users] REQUEST_URI decodes URI before running checks
|
From: Eli <eli...@ex...> - 2005-02-18 17:50:05
|
Ivan wrote:
> Eli wrote:
> Now, I couldn't find out if there's a way to disable this URI decoding so
it
> Correct, because there isn't one.
Gah!
Ok, the reason for not having this yet and not having it until v2.x - is it
because of time required to work on development? I don't mind helping...
I hacked in a flag called "SecFilterDoURLDecoding" (I think - haven't test
compiled yet) and hopefully added all the required entries for the
"dcfg->check_decoding" config paramater. My only question is:
char *normalise(request_rec *r, sec_dir_config *dcfg, char *_uri, char
**error_msg) {
char *uri;
if (_uri == NULL) return NULL;
uri = ap_pstrdup(r->pool, _uri);
if (uri == NULL) return NULL;
if (dcfg->check_decoding) return uri; // is this correct?
return normalise_inplace(r, dcfg, uri, error_msg);
}
I don't know if the "return uri" is the right way to do it or not. Will
this cause a memory leak at all, or return something the user wouldn't
expect?
If that looks OK to you, I'm gonna test this out and see if it segs or not
:) If not, I'll send you the patch - it's for the apache 1.x module only
though since I don't have Apache 2 to test with. You don't have to include
it obviously - I'm sure it's a horrible hack, and it took me like 2 minutes
to hack this up so I'm sure you've got something much better planned.
Eli.
|
