RE: [mod-security-users] REQUEST_URI decodes URI before running checks
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
RE: [mod-security-users] REQUEST_URI decodes URI before running checks
|
From: Eli <eli...@ex...> - 2005-02-18 18:45:42
|
Hm, apparently my stuff does zilch! It compiles, no segfaults, no =
apparent
memory leaks so far (didn't really test much in this area though), but
changing the "SecFilterDoURLDecoding" (which I noticed I reversed it's
meaning! Heheh) to On/Off doesn't seem to make a difference at all. I =
have
a feeling I'm missing something big here!
Eli.
------
I hacked in a flag called "SecFilterDoURLDecoding" (I think - haven't =
test
compiled yet) and hopefully added all the required entries for the
"dcfg->check_decoding" config paramater. My only question is:
char *normalise(request_rec *r, sec_dir_config *dcfg, char *_uri, char
**error_msg) {
char *uri;
if (_uri =3D=3D NULL) return NULL;
uri =3D ap_pstrdup(r->pool, _uri);
if (uri =3D=3D NULL) return NULL;
if (dcfg->check_decoding) return uri; // is this correct?
return normalise_inplace(r, dcfg, uri, error_msg);
}
I don't know if the "return uri" is the right way to do it or not. Will
this cause a memory leak at all, or return something the user wouldn't
expect?
If that looks OK to you, I'm gonna test this out and see if it segs or =
not
:) If not, I'll send you the patch - it's for the apache 1.x module =
only
though since I don't have Apache 2 to test with. You don't have to =
include
it obviously - I'm sure it's a horrible hack, and it took me like 2 =
minutes
to hack this up so I'm sure you've got something much better planned.
|
