Updated the adaptors to have a config.h preproc definition which, if …

…enabled, compiles the adaptors without the ability to check for invalid URL characters.
wocommunity · Aug 4, 2022 · 23c9775 · 23c9775
1 parent a274dad
commit 23c9775
Show file tree

Hide file tree

Showing 7 changed files with 28 additions and 3 deletions.
diff --git a/Utilities/Adaptors/Adaptor/config.h b/Utilities/Adaptors/Adaptor/config.h
@@ -81,7 +81,10 @@ typedef int  intptr_t;
 #define WA_MAX_HOST_NAME_LENGTH		64	/* maximum length of a host name, including the null */
 #define WA_MAX_INSTANCE_NUMBER_LENGTH	8	/* maximum length of an instance number, including the null */
 
-
+// 2022-08-04: Uncomment this option to explicitly DISABLE URL invalid character rejections.
+// Please do not change this unless you are certain about doing so!
+//#define __PRESERVE_UNSAFE_URLS 1
+
 /*
  *	default values for some feature settings
  */

diff --git a/Utilities/Adaptors/Apache/mod_WebObjects.c b/Utilities/Adaptors/Apache/mod_WebObjects.c
@@ -271,12 +271,24 @@ int WebObjects_translate(request_rec *r) {
    WebObjects_config *wc;
    WOURLComponents url;
    WOURLError urlerr;
+   WOURLError charcheck;
 
    wc = (WebObjects_config *)ap_get_module_config(r->server->module_config, &WebObjects_module);
 
    /* WOLog(WO_DBG,"<WebObjects Apache Module> new translate: %s",r->uri); */
    if (strncmp(wc->WebObjects_alias, r->uri, strlen(wc->WebObjects_alias)) == 0) {
       url = WOURLComponents_Initializer;
+
+#ifndef __PRESERVE_UNSAFE_URLS
+      // Make sure the URL does not contain forbidden characters (0x0D or 0x0A).
+      charcheck = WOValidateInitialURL( r->uri );
+      if ( charcheck != WOURLOK ) {
+         WOLog(WO_ERR, "WebObjects_translate(): declining request due to forbidden URL characters");
+         return DECLINED;
+      }
+#endif
+
+
       urlerr = WOParseApplicationName(&url, r->uri);
       if (urlerr != WOURLOK && !((urlerr == WOURLInvalidApplicationName) && ac_authorizeAppListing(&url))) {
          /* WOLog(WO_DBG,"<WebObjects Apache Module> translate - DECLINED: %s",r->uri); */

diff --git a/Utilities/Adaptors/Apache2.2/mod_WebObjects.c b/Utilities/Adaptors/Apache2.2/mod_WebObjects.c
@@ -681,12 +681,14 @@ int WebObjects_translate(request_rec *r) {
         memset(&url,0,sizeof(WOURLComponents));
 #endif
 
+#ifndef __PRESERVE_UNSAFE_URLS
         // Make sure the URL does not contain forbidden characters (0x0D or 0x0A).
         charcheck = WOValidateInitialURL( r->uri );
         if ( charcheck != WOURLOK ) {
-            WOLog(WO_DBG, "WebObjects_translate(): declining request due to forbidden URL characters");
+            WOLog(WO_ERR, "WebObjects_translate(): declining request due to forbidden URL characters");
             return DECLINED;
         }
+#endif
 
         urlerr = WOParseApplicationName(&url, r->uri);
         if (urlerr != WOURLOK && !((urlerr == WOURLInvalidApplicationName) && ac_authorizeAppListing(&url))) {

diff --git a/Utilities/Adaptors/Apache2.4/mod_WebObjects.c b/Utilities/Adaptors/Apache2.4/mod_WebObjects.c
@@ -681,12 +681,14 @@ int WebObjects_translate(request_rec *r) {
 		memset(&url,0,sizeof(WOURLComponents));
 #endif
 
+#ifndef __PRESERVE_UNSAFE_URLS
         // Make sure the URL does not contain forbidden characters (0x0D or 0x0A).
         charcheck = WOValidateInitialURL( r->uri );
         if ( charcheck != WOURLOK ) {
-            WOLog(WO_DBG, "WebObjects_translate(): declining request due to forbidden URL characters");
+            WOLog(WO_ERR, "WebObjects_translate(): declining request due to forbidden URL characters");
             return DECLINED;
         }
+#endif
 
         urlerr = WOParseApplicationName(&url, r->uri);
         if (urlerr != WOURLOK && !((urlerr == WOURLInvalidApplicationName) && ac_authorizeAppListing(&url))) {

diff --git a/Utilities/Adaptors/CGI/WebObjects.c b/Utilities/Adaptors/CGI/WebObjects.c
@@ -316,6 +316,7 @@ int doit(int argc, char *argv[], char **envp) {
       strcat(url, path_info);
       WOLog(WO_INFO,"<CGI> new request: %s",url);
 
+#ifndef __PRESERVE_UNSAFE_URLS
       // Make sure the URL does not contain forbidden characters (0x0D or 0x0A).
       charcheck = WOValidateInitialURL( url );
       if ( charcheck != WOURLOK ) {
@@ -324,6 +325,7 @@ int doit(int argc, char *argv[], char **envp) {
          _urlerr = WOURLstrerror( charcheck );
          die( _urlerr, HTTP_BAD_REQUEST );
       }
+#endif
 
       urlerr = WOParseApplicationName(&wc, url);
       if (urlerr != WOURLOK) {

diff --git a/Utilities/Adaptors/FastCGI/WebObjects.c b/Utilities/Adaptors/FastCGI/WebObjects.c
@@ -331,6 +331,7 @@ int main() {
       strcat(url, path_info);
       WOLog(WO_INFO,"<FastCGI> new request: %s",url);
 
+#ifndef __PRESERVE_UNSAFE_URLS
       // Make sure the URL does not contain forbidden characters (0x0D or 0x0A).
       charcheck = WOValidateInitialURL( url );
       if ( charcheck != WOURLOK ) {
@@ -341,6 +342,7 @@ int main() {
          WOFREE(url);
          break;
       }
+#endif
 
       urlerr = WOParseApplicationName(&wc, url);
       if (urlerr != WOURLOK) {

diff --git a/Utilities/Adaptors/IIS/WebObjects.c b/Utilities/Adaptors/IIS/WebObjects.c
@@ -628,6 +628,7 @@ __declspec(dllexport) DWORD __stdcall HttpExtensionProc(EXTENSION_CONTROL_BLOCK
    WOLog(WO_INFO,"<WebObjects ISAPI> new request: %s", uri);
    WOFREE(script_name);
 
+#ifndef __PRESERVE_UNSAFE_URLS
    // Make sure the URL does not contain forbidden characters (0x0D or 0x0A).
    charcheck = WOValidateInitialURL( uri );
    if ( charcheck != WOURLOK ) {
@@ -636,6 +637,7 @@ __declspec(dllexport) DWORD __stdcall HttpExtensionProc(EXTENSION_CONTROL_BLOCK
       _urlerr = WOURLstrerror( charcheck );
       return die( p, _urlerr, HTTP_BAD_REQUEST );
    }
+#endif
 
    urlerr = WOParseApplicationName(&wc, uri);
    if (urlerr != WOURLOK) {