diff options
| author | Glenn Strauss <gstrauss@gluelogic.com> | 2018-05-01 00:20:26 -0400 |
|---|---|---|
| committer | Glenn Strauss <gstrauss@gluelogic.com> | 2018-08-12 14:43:22 -0400 |
| commit | 3eb7902e10ba75b3f2eb159e244d0d8e5037ccd2 (patch) | |
| tree | 3915619c5c0c93733c3f00d670e559ef319c9df7 /src/burl.h | |
| parent | 6ccccaaa38bdf545dafbd2e31950e756fc6ac775 (diff) | |
| download | lighttpd-git-3eb7902e10ba75b3f2eb159e244d0d8e5037ccd2.tar.gz | |
[core] server.http-parseopts URL normalization opt (fixes #1720)
server.http-parseopts = ( ... ) URL normalization options
Note: *not applied* to CONNECT method
Note: In a future release, URL normalization likely enabled by default
(normalize URL, reject control chars, remove . and .. path segments)
To prepare for this change, lighttpd.conf configurations should
explicitly select desired behavior by enabling or disabling:
server.http-parseopts = ( "url-normalize" => "enable", ... )
server.http-parseopts = ( "url-normalize" => "disable" )
x-ref:
"lighttpd ... compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data."
https://www.cvedetails.com/cve/CVE-2008-4359/
"Rewrite/redirect rules and URL encoding"
https://redmine.lighttpd.net/issues/1720
Diffstat (limited to 'src/burl.h')
| -rw-r--r-- | src/burl.h | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/src/burl.h b/src/burl.h new file mode 100644 index 00000000..d81cc572 --- /dev/null +++ b/src/burl.h @@ -0,0 +1,25 @@ +#ifndef INCLUDED_BURL_H +#define INCLUDED_BURL_H +#include "first.h" + +#include "buffer.h" + +enum burl_opts_e { + HTTP_PARSEOPT_HEADER_STRICT = 0x1 + ,HTTP_PARSEOPT_HOST_STRICT = 0x2 + ,HTTP_PARSEOPT_HOST_NORMALIZE = 0x4 + ,HTTP_PARSEOPT_URL_NORMALIZE = 0x8/*normalize chars %-encoded, uppercase hex*/ + ,HTTP_PARSEOPT_URL_NORMALIZE_UNRESERVED =0x10 /* decode unreserved */ + ,HTTP_PARSEOPT_URL_NORMALIZE_REQUIRED =0x20 /* decode (un)reserved*/ + ,HTTP_PARSEOPT_URL_NORMALIZE_CTRLS_REJECT =0x40 + ,HTTP_PARSEOPT_URL_NORMALIZE_PATH_BACKSLASH_TRANS=0x80 /* "\\" -> "/" Cygwin */ + ,HTTP_PARSEOPT_URL_NORMALIZE_PATH_2F_DECODE =0x100/* "%2F"-> "/" */ + ,HTTP_PARSEOPT_URL_NORMALIZE_PATH_2F_REJECT =0x200 + ,HTTP_PARSEOPT_URL_NORMALIZE_PATH_DOTSEG_REMOVE =0x400/* "." ".." "//" */ + ,HTTP_PARSEOPT_URL_NORMALIZE_PATH_DOTSEG_REJECT =0x800 + ,HTTP_PARSEOPT_URL_NORMALIZE_QUERY_20_PLUS =0x1000 +}; + +int burl_normalize (buffer *b, buffer *t, int flags); + +#endif |