Dropped the never-released ap_has_cntrls() as it had very limited

and inefficient application at that, added ap_scan_vchar_obstext() to accomplish a similar purpose. Dropped HttpProtocolOptions StrictURL option, this will be better handled in the future with a specific directive and perhaps multiple levels of scrutiny, use ap_scan_vchar_obstext() to simply ensure there are no control characters or whitespace within the URI. Changed the scanning of the response header table by check_headers() to follow the same rulesets as reading request headers. Disallow any CTL character within a response header value, and any CTL or whitespace in response header field name, even in strict mode. Apply HttpProtocolOptions Strict to chunk header parsing, invalid whitespace is invalid, line termination must follow CRLF convention. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1764961 13f79535-47bb-0310-9956-ffa450edef68
2025-08-06 11:06:17 +00:00 · 2016-10-14 20:48:43 +00:00
parent b610c3b0e3
commit 84ce5d25db
6 changed files with 102 additions and 118 deletions
--- a/server/gen_test_char.c
+++ b/server/gen_test_char.c
@ -53,7 +53,7 @@
 #define T_ESCAPE_FORENSIC     (0x20)
 #define T_ESCAPE_URLENCODED   (0x40)
 #define T_HTTP_CTRLS          (0x80)
-#define T_URI_RFC3986        (0x100)
+#define T_VCHAR_OBSTEXT      (0x100)

 int main(int argc, char *argv[])
 {
@ -70,7 +70,7 @@ int main(int argc, char *argv[])
           "#define T_ESCAPE_FORENSIC      (%u)\n"
           "#define T_ESCAPE_URLENCODED    (%u)\n"
           "#define T_HTTP_CTRLS           (%u)\n"
-           "#define T_URI_RFC3986          (%u)\n"
+           "#define T_VCHAR_OBSTEXT        (%u)\n"
           "\n"
           "static const unsigned short test_char_table[256] = {",
           T_ESCAPE_SHELL_CMD,
@ -81,7 +81,7 @@ int main(int argc, char *argv[])
           T_ESCAPE_FORENSIC,
           T_ESCAPE_URLENCODED,
           T_HTTP_CTRLS,
-           T_URI_RFC3986);
+           T_VCHAR_OBSTEXT);

    for (c = 0; c < 256; ++c) {
        flags = 0;
@ -143,11 +143,8 @@ int main(int argc, char *argv[])
         * and unreserved (2.3) that are possible somewhere within a URI.
         * Spec requires all others to be %XX encoded, including obs-text.
         */
-        if (c && (strchr("%"                              /* pct-encode */
-                         ":/?#[]@"                        /* gen-delims */ 
-                         "!$&'()*+,;="                    /* sub-delims */
-                         "-._~", c) || apr_isalnum(c))) { /* unreserved */
-            flags |= T_URI_RFC3986;
+        if (c && !apr_iscntrl(c) && c != ' ') {
+            flags |= T_VCHAR_OBSTEXT;
        }

        /* For logging, escape all control characters,