Commit afe49cab authored by William A. Rowe Jr's avatar William A. Rowe Jr
Browse files

Revert misguided commit r1799731. 

Discussion on-list, but any occurance of a platform-specific behavior in this
code path will alter the behavior of the core code and introduce the very
fingerprintable behavior this patch pretended to obscuficate.

Returning 404 for /CON for example may lead to a module such as mod_speling
revealing the existance of a real file named similar to /.conf, which makes
this an unwise behavior.

Further discussion of returning 404 for all CHR files encountered in the
filepath (not URI path), which currently return 403 on all platforms,
belongs on the dev list.





git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1799965 13f79535-47bb-0310-9956-ffa450edef68
parent c5b76ae5

CHANGES

+0 −4
Original line number Diff line number Diff line
@@ -5,10 +5,6 @@ Changes with Apache 2.5.0 
     This is a regression in 2.4.24 (unreleased), 2.4.25 and 2.4.26.

     PR 61207. [Christophe Jaillet]



  *) core: Send a 404 response like other OSs do instead of 403 on Windows

     when a path segment or file requested uses a reserved word so Windows

     cannot be fingerprinted. PR55887 [Gregg Smith]



  *) mod_rewrite: Add 'RewriteOptions LongURLOptimization' to free memory

     from each set of unmatched rewrite conditions.

     [Eric Covener]

server/request.c

+0 −15
Original line number Diff line number Diff line
@@ -1211,25 +1211,10 @@ AP_DECLARE(int) ap_directory_walk(request_rec *r) 
                break;

            }

            else if (thisinfo.filetype != APR_DIR) {

#ifdef _WIN32

                ap_regex_t *preg;

#endif

                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00038)

                              "Forbidden: %s doesn't point to "

                              "a file or directory",

                              r->filename);

#ifdef _WIN32

                /* Windows has a number of reserved words that cannot be used

                 * as a file or directory name so thisinfo.filetype will

                 * always be != APR_DIR. Don't allow us be fingerprinted with

                 * a 403 and instead send a 404 like other OSs would. PR55887

                 */

                preg = ap_pregcomp(r->pool,

               "/(aux|con|com[1-9]|lpt[1-9]|nul|prn)"

               "($|/|.)", AP_REG_EXTENDED | AP_REG_ICASE);

                if (ap_regexec(preg, r->uri, 0, NULL, 0) == 0)

                    return r->status = HTTP_NOT_FOUND;

#endif

                return r->status = HTTP_FORBIDDEN;

            }