Version 2 of the mod_rewrite fix from apache, fixes problem with

mod_rewrite not working for lookup tables

2 files changed, 58 insertions, 11 deletions

diff --git a/usr.sbin/httpd/src/modules/standard/mod_rewrite.c b/usr.sbin/httpd/src/modules/standard/mod_rewrite.c
index 6e4e6bf78f0..ec5d64ba1aa 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_rewrite.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_rewrite.c
@@ -2258,30 +2258,50 @@ static void do_expand(request_rec *r, char *input, char *buffer, int nbuf,
 	/* now we have a '$' or a '%' */
 	if (inp[1] == '{') {
 	    char *endp;
-	    endp = strchr(inp, '}');
+	    endp = find_closing_bracket(inp+2, '{', '}');
 	    if (endp == NULL) {
 		goto skip;
 	    }
 	    *endp = '\0';
 	    if (inp[0] == '$') {
 		/* ${...} map lookup expansion */
+		/*
+		 * To make rewrite maps useful the lookup key and
+		 * default values must be expanded, so we make
+		 * recursive calls to do the work. For security
+		 * reasons we must never expand a string that includes
+		 * verbatim data from the network. The recursion here
+		 * isn't a problem because the result of expansion is
+		 * only passed to lookup_map() so it cannot be
+		 * re-expanded, only re-looked-up. Another way of
+		 * looking at it is that the recursion is entirely
+		 * driven by the syntax of the nested curly brackets.
+		 */
 		char *key, *dflt, *result;
+		char xkey[MAX_STRING_LEN];
+		char xdflt[MAX_STRING_LEN];
+		char *empty = "";
 		key = strchr(inp, ':');
 		if (key == NULL) {
 		    goto skip;
 		}
 		*key++ = '\0';
 		dflt = strchr(key, '|');
-		if (dflt) {
+		if (dflt == NULL) {
+		    dflt = empty;
+		}
+		else {
 		    *dflt++ = '\0';
 		}
-		result = lookup_map(r, inp+2, key);
+		do_expand(r, key,  xkey,  sizeof(xkey),  briRR, briRC);
+		do_expand(r, dflt, xdflt, sizeof(xdflt), briRR, briRC);
+		result = lookup_map(r, inp+2, xkey);
 		if (result == NULL) {
-		    result = dflt ? dflt : "";
+		    result = xdflt;
 		}
 		span = ap_cpystrn(outp, result, space) - outp;
 		key[-1] = ':';
-		if (dflt) {
+		if (dflt != empty) {
 		    dflt[-1] = '|';
 		}
 	    }
@@ -4152,4 +4172,26 @@ static int compare_lexicography(char *cpNum1, char *cpNum2)
     return 0;
 }
 
+/*
+**
+**  Find end of bracketed expression
+**  s points after the opening bracket
+**
+*/
+
+static char *find_closing_bracket(char *s, int left, int right)
+{
+    int depth;
+
+    for (depth = 1; *s; ++s) {
+	if (*s == right && --depth == 0) {
+	    return s;
+	}
+	else if (*s == left) {
+	    ++depth;
+	}
+    }
+    return NULL;
+}
+
 /*EOF*/
diff --git a/usr.sbin/httpd/src/modules/standard/mod_rewrite.h b/usr.sbin/httpd/src/modules/standard/mod_rewrite.h
index 46c255279f8..fbcfe4f7422 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_rewrite.h
+++ b/usr.sbin/httpd/src/modules/standard/mod_rewrite.h
@@ -168,7 +168,7 @@
 #include <fcntl.h>
 #endif
 #endif
-#ifdef AIX
+#if defined(AIX) || defined(AIXIA64)
 #undef USE_FLOCK
 #define USE_FCNTL 1
 #include <fcntl.h>
@@ -420,14 +420,17 @@ static int apply_rewrite_cond(request_rec *r, rewritecond_entry *p,
                               char *perdir, backrefinfo *briRR,
                               backrefinfo *briRC);
 
+static void do_expand(request_rec *r, char *input, char *buffer, int nbuf,
+		       backrefinfo *briRR, backrefinfo *briRC);
+static void do_expand_env(request_rec *r, char *env[],
+			  backrefinfo *briRR, backrefinfo *briRC);
+
     /* URI transformation function */
 static void  splitout_queryargs(request_rec *r, int qsappend);
 static void  fully_qualify_uri(request_rec *r);
 static void  reduce_uri(request_rec *r);
-static void  expand_backref_inbuffer(pool *p, char *buf, int nbuf,
-                                     backrefinfo *bri, char c);
+static int   is_absolute_uri(char *uri);
 static char *expand_tildepaths(request_rec *r, char *uri);
-static void  expand_map_lookups(request_rec *r, char *uri, int uri_len);
 
     /* rewrite map support functions */
 static char *lookup_map(request_rec *r, char *name, char *key);
@@ -466,8 +469,6 @@ static void  run_rewritemap_programs(server_rec *s, pool *p);
 static int   rewritemap_program_child(void *cmd, child_info *pinfo);
 
     /* env variable support */
-static void  expand_variables_inbuffer(request_rec *r, char *buf, int buf_len);
-static char *expand_variables(request_rec *r, char *str);
 static char *lookup_variable(request_rec *r, char *var);
 static char *lookup_header(request_rec *r, const char *name);
 
@@ -486,6 +487,7 @@ static char  *subst_prefix_path(request_rec *r, char *input, char *match,
 static int    parseargline(char *str, char **a1, char **a2, char **a3);
 static int    prefix_stat(const char *path, struct stat *sb);
 static void   add_env_variable(request_rec *r, char *s);
+static int    subreq_ok(request_rec *r);
 
     /* File locking */
 static void fd_lock(request_rec *r, int fd);
@@ -494,6 +496,9 @@ static void fd_unlock(request_rec *r, int fd);
     /* Lexicographic Comparison */
 static int compare_lexicography(char *cpNum1, char *cpNum2);
 
+    /* Find end of bracketed expression */
+static char *find_closing_bracket(char *s, int left, int right);
+
 #endif /* _MOD_REWRITE_H */
 
 /*EOF*/