From e2166ae8e506e3bd6f9a33e7c9d2ef0d367a4e12 Mon Sep 17 00:00:00 2001 From: Clinton Ebadi Date: Sun, 11 Dec 2016 23:15:05 -0500 Subject: [PATCH] apache: core directive AllowEncodedSlashes Allow members to set the safe NoDecode mode instead of unequivocally rejecting URLs with encoded slashes. "On" is not supported because we do not want to allow encoded urls to access arbitrary directories (not sure if it's paranoia, but the apache docs discourage it). https://bugzilla.hcoop.net/show_bug.cgi?id=1220 https://httpd.apache.org/docs/2.2/mod/core.html#allowencodedslashes --- lib/apache_options.dtl | 3 +++ src/plugins/apache.sml | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/lib/apache_options.dtl b/lib/apache_options.dtl index f36e653..279348b 100644 --- a/lib/apache_options.dtl +++ b/lib/apache_options.dtl @@ -37,3 +37,6 @@ extern val addDefaultCharset : no_spaces -> [^Vhost]; extern type file_extension; extern val cgiExtension : file_extension -> [^Vhost]; {{Ask for all files ending in a particular extension to be executed as CGI.}} + +extern val allowEncodedSlashes : bool -> [Vhost]; +{{Enable or disable encoded lashes. Default is false, true sets NoDecode, full decoding is insecure and unsupported.}} \ No newline at end of file diff --git a/src/plugins/apache.sml b/src/plugins/apache.sml index 813051c..b7d36a4 100644 --- a/src/plugins/apache.sml +++ b/src/plugins/apache.sml @@ -1147,6 +1147,11 @@ val () = Domain.registerDescriber (Domain.considerAll Domain.Extension {extension = "vhost_ssl", heading = fn host => "SSL web vhost " ^ host ^ ":"}]) +val () = Env.action_one "allowEncodedSlashes" + ("enable", Env.bool) + (fn enable => (write "\tAllowEncodedSlashes "; + write (if enable then "NoDecode" else "Off"); + write "\n")) val () = Env.action_none "testNoHtaccess" (fn path => write "\tAllowOverride None\n") -- 2.20.1