RE: [mod-security-users] REQUEST_URI decodes URI before running checks
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
RE: [mod-security-users] REQUEST_URI decodes URI before running checks
|
From: Eli <eli...@ex...> - 2005-02-18 19:15:26
|
Ivan wrote:
> Eli wrote:
>> Hm, apparently my stuff does zilch! It compiles, no segfaults, no
apparent
>> memory leaks so far (didn't really test much in this area though), =
but
>> changing the "SecFilterDoURLDecoding" (which I noticed I reversed =
it's
>> meaning! Heheh) to On/Off doesn't seem to make a difference at all. =
I
have
>> a feeling I'm missing something big here!
> Maybe there's code calling normalise_inplace() directly? I don't
> have the time to check right now.
>
> Anyway, poke around and I'm sure you'll figure it out. That's how
> I do it anyway :)
Figured it out - I was dumb :) Since I was just copying your code and
tweaking it - I copied one line where you get the CGI variables and you =
are
forcing decoding to be done. I didn't know it was a forcing thing, I
thought it was initializing the value to a default so I had copied my =
thing
like yours... Of course, this was always forcing it off so that's why =
it
wasn't working!
Here's the patch - tested and it works. Reliable? No idea yet :) =
About to
put it in to production on 4 webservers.
*******NOTE******* This is not to be used by clueless users!!! Don't =
ask
me how to use it or what it does. It's just something to fix *MY* =
problems.
--- mod_security.c.old Fri Feb 18 12:34:53 2005
+++ mod_security.c Fri Feb 18 14:10:54 2005
@@ -310,6 +310,7 @@
int filters_clear;
int range_start;
int range_end;
+ int check_decoding;
int check_encoding;
int check_unicode_encoding;
char *upload_dir;
@@ -1372,6 +1373,7 @@
if (dcfg->range_start =3D=3D NOT_SET) dcfg->range_start =3D 0;
if (dcfg->range_end =3D=3D NOT_SET) dcfg->range_end =3D 255;
+ if (dcfg->check_decoding =3D=3D NOT_SET) dcfg->check_decoding =3D =
0;
if (dcfg->check_encoding =3D=3D NOT_SET) dcfg->check_encoding =3D =
0;
if (dcfg->check_unicode_encoding =3D=3D NOT_SET)
dcfg->check_unicode_encoding =3D 0;
if (dcfg->upload_dir =3D=3D NOT_SET_P) dcfg->upload_dir =3D NULL;
@@ -1418,6 +1420,7 @@
dcfg->range_start =3D NOT_SET;
dcfg->range_end =3D NOT_SET;
+ dcfg->check_decoding =3D NOT_SET;
dcfg->check_encoding =3D NOT_SET;
dcfg->check_unicode_encoding =3D NOT_SET;
@@ -1489,6 +1492,7 @@
new->range_start =3D (child->range_start =3D=3D NOT_SET) ?
parent->range_start : child->range_start;
new->range_end =3D (child->range_end =3D=3D NOT_SET) ? =
parent->range_end :
child->range_end;
+ new->check_decoding =3D (child->check_decoding =3D=3D NOT_SET) ?
parent->check_decoding : child->check_decoding;
new->check_encoding =3D (child->check_encoding =3D=3D NOT_SET) ?
parent->check_encoding : child->check_encoding;
new->check_unicode_encoding =3D (child->check_unicode_encoding =
=3D=3D
NOT_SET) ? parent->check_unicode_encoding : =
child->check_unicode_encoding;
new->upload_dir =3D (child->upload_dir =3D=3D NOT_SET_P) ? =
parent->upload_dir
: child->upload_dir;
@@ -1856,6 +1860,8 @@
char *normalise(request_rec *r, sec_dir_config *dcfg, char *_uri, char
**error_msg) {
char *uri;
+ if (dcfg->check_decoding) return _uri;
+
if (_uri =3D=3D NULL) return NULL;
uri =3D ap_pstrdup(r->pool, _uri);
if (uri =3D=3D NULL) return NULL;
@@ -3044,6 +3050,11 @@
return NULL;
}
+static const char *cmd_filter_no_url_decoding(cmd_parms * cmd,
sec_dir_config *dcfg, int flag) {
+ dcfg->check_decoding =3D flag;
+ return NULL;
+}
+
static const char *cmd_filter_check_url_encoding(cmd_parms * cmd,
sec_dir_config *dcfg, int flag) {
dcfg->check_encoding =3D flag;
return NULL;
@@ -3489,6 +3500,15 @@
},
{
+ "SecFilterNoURLDecoding",
+ cmd_filter_no_url_decoding,
+ NULL,
+ CMD_SCOPE_ANY,
+ FLAG,
+ "On or Off to set whether URL decoding will be performed"
+ },
+
+ {
"SecFilterCheckURLEncoding",
cmd_filter_check_url_encoding,
NULL,
---end of patch---
Eli.
|
