[core] server.http-parseopts URL normalization opt (fixes #1720)

server.http-parseopts = ( ... ) URL normalization options

Note: *not applied* to CONNECT method

Note: In a future release, URL normalization likely enabled by default
  (normalize URL, reject control chars, remove . and .. path segments)
  To prepare for this change, lighttpd.conf configurations should
  explicitly select desired behavior by enabling or disabling:
    server.http-parseopts = ( "url-normalize" => "enable", ... )
    server.http-parseopts = ( "url-normalize" => "disable" )

x-ref:
  "lighttpd ... compares URIs to patterns in the (1) url.redirect and (2) url.rewrite configuration settings before performing URL decoding, which might allow remote attackers to bypass intended access restrictions, and obtain sensitive information or possibly modify data."
  https://www.cvedetails.com/cve/CVE-2008-4359/
  "Rewrite/redirect rules and URL encoding"
  https://redmine.lighttpd.net/issues/1720

1 files changed, 4 insertions, 0 deletions

diff --git a/src/mod_rewrite.c b/src/mod_rewrite.c
index ae6592f9..07e03f7a 100644
--- a/src/mod_rewrite.c
+++ b/src/mod_rewrite.c
@@ -85,6 +85,10 @@ static int parse_config_entry(server *srv, array *ca, pcre_keyvalue_buffer *kvb,
 
 		for (j = 0; j < da->value->used; j++) {
 			data_string *ds = (data_string *)da->value->data[j];
+			if (srv->srvconf.http_url_normalize) {
+				pcre_keyvalue_burl_normalize_key(ds->key, srv->tmp_buf);
+				pcre_keyvalue_burl_normalize_value(ds->value, srv->tmp_buf);
+			}
 			if (0 != pcre_keyvalue_buffer_append(srv, kvb, ds->key, ds->value)) {
 				log_error_write(srv, __FILE__, __LINE__, "sb",
 						"pcre-compile failed for", ds->key);