From 23c9775fb6afb7be1472944e02396f29771dc8e2 Mon Sep 17 00:00:00 2001
From: Bill Bob <github@xmit.xyz>
Date: Thu, 4 Aug 2022 19:36:41 -0400
Subject: [PATCH] Updated the adaptors to have a config.h preproc definition
 which, if enabled, compiles the adaptors without the ability to check for
 invalid URL characters.

---
 Utilities/Adaptors/Adaptor/config.h           |  5 ++++-
 Utilities/Adaptors/Apache/mod_WebObjects.c    | 12 ++++++++++++
 Utilities/Adaptors/Apache2.2/mod_WebObjects.c |  4 +++-
 Utilities/Adaptors/Apache2.4/mod_WebObjects.c |  4 +++-
 Utilities/Adaptors/CGI/WebObjects.c           |  2 ++
 Utilities/Adaptors/FastCGI/WebObjects.c       |  2 ++
 Utilities/Adaptors/IIS/WebObjects.c           |  2 ++
 7 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/Utilities/Adaptors/Adaptor/config.h b/Utilities/Adaptors/Adaptor/config.h
index 7acd172cb47..091e5a395da 100644
--- a/Utilities/Adaptors/Adaptor/config.h
+++ b/Utilities/Adaptors/Adaptor/config.h
@@ -81,7 +81,10 @@ typedef int  intptr_t;
 #define WA_MAX_HOST_NAME_LENGTH		64	/* maximum length of a host name, including the null */
 #define WA_MAX_INSTANCE_NUMBER_LENGTH	8	/* maximum length of an instance number, including the null */
 
-   
+// 2022-08-04: Uncomment this option to explicitly DISABLE URL invalid character rejections.
+// Please do not change this unless you are certain about doing so!
+//#define __PRESERVE_UNSAFE_URLS 1
+
 /*
  *	default values for some feature settings
  */
diff --git a/Utilities/Adaptors/Apache/mod_WebObjects.c b/Utilities/Adaptors/Apache/mod_WebObjects.c
index f5241c478da..2c7f080a11f 100644
--- a/Utilities/Adaptors/Apache/mod_WebObjects.c
+++ b/Utilities/Adaptors/Apache/mod_WebObjects.c
@@ -271,12 +271,24 @@ int WebObjects_translate(request_rec *r) {
    WebObjects_config *wc;
    WOURLComponents url;
    WOURLError urlerr;
+   WOURLError charcheck;
 
    wc = (WebObjects_config *)ap_get_module_config(r->server->module_config, &WebObjects_module);
 
    /* WOLog(WO_DBG,"<WebObjects Apache Module> new translate: %s",r->uri); */
    if (strncmp(wc->WebObjects_alias, r->uri, strlen(wc->WebObjects_alias)) == 0) {
       url = WOURLComponents_Initializer;
+
+#ifndef __PRESERVE_UNSAFE_URLS
+      // Make sure the URL does not contain forbidden characters (0x0D or 0x0A).
+      charcheck = WOValidateInitialURL( r->uri );
+      if ( charcheck != WOURLOK ) {
+         WOLog(WO_ERR, "WebObjects_translate(): declining request due to forbidden URL characters");
+         return DECLINED;
+      }
+#endif
+
+
       urlerr = WOParseApplicationName(&url, r->uri);
       if (urlerr != WOURLOK && !((urlerr == WOURLInvalidApplicationName) && ac_authorizeAppListing(&url))) {
          /* WOLog(WO_DBG,"<WebObjects Apache Module> translate - DECLINED: %s",r->uri); */
diff --git a/Utilities/Adaptors/Apache2.2/mod_WebObjects.c b/Utilities/Adaptors/Apache2.2/mod_WebObjects.c
index 2900c19bf31..24a2d355098 100644
--- a/Utilities/Adaptors/Apache2.2/mod_WebObjects.c
+++ b/Utilities/Adaptors/Apache2.2/mod_WebObjects.c
@@ -681,12 +681,14 @@ int WebObjects_translate(request_rec *r) {
         memset(&url,0,sizeof(WOURLComponents));
 #endif
 
+#ifndef __PRESERVE_UNSAFE_URLS
         // Make sure the URL does not contain forbidden characters (0x0D or 0x0A).
         charcheck = WOValidateInitialURL( r->uri );
         if ( charcheck != WOURLOK ) {
-            WOLog(WO_DBG, "WebObjects_translate(): declining request due to forbidden URL characters");
+            WOLog(WO_ERR, "WebObjects_translate(): declining request due to forbidden URL characters");
             return DECLINED;
         }
+#endif
 
         urlerr = WOParseApplicationName(&url, r->uri);
         if (urlerr != WOURLOK && !((urlerr == WOURLInvalidApplicationName) && ac_authorizeAppListing(&url))) {
diff --git a/Utilities/Adaptors/Apache2.4/mod_WebObjects.c b/Utilities/Adaptors/Apache2.4/mod_WebObjects.c
index 86a7fda5b05..103f10b75bf 100644
--- a/Utilities/Adaptors/Apache2.4/mod_WebObjects.c
+++ b/Utilities/Adaptors/Apache2.4/mod_WebObjects.c
@@ -681,12 +681,14 @@ int WebObjects_translate(request_rec *r) {
 		memset(&url,0,sizeof(WOURLComponents));
 #endif
 
+#ifndef __PRESERVE_UNSAFE_URLS
         // Make sure the URL does not contain forbidden characters (0x0D or 0x0A).
         charcheck = WOValidateInitialURL( r->uri );
         if ( charcheck != WOURLOK ) {
-            WOLog(WO_DBG, "WebObjects_translate(): declining request due to forbidden URL characters");
+            WOLog(WO_ERR, "WebObjects_translate(): declining request due to forbidden URL characters");
             return DECLINED;
         }
+#endif
 
         urlerr = WOParseApplicationName(&url, r->uri);
         if (urlerr != WOURLOK && !((urlerr == WOURLInvalidApplicationName) && ac_authorizeAppListing(&url))) {
diff --git a/Utilities/Adaptors/CGI/WebObjects.c b/Utilities/Adaptors/CGI/WebObjects.c
index 6884a926559..433e9a5917d 100644
--- a/Utilities/Adaptors/CGI/WebObjects.c
+++ b/Utilities/Adaptors/CGI/WebObjects.c
@@ -316,6 +316,7 @@ int doit(int argc, char *argv[], char **envp) {
       strcat(url, path_info);
       WOLog(WO_INFO,"<CGI> new request: %s",url);
 
+#ifndef __PRESERVE_UNSAFE_URLS
       // Make sure the URL does not contain forbidden characters (0x0D or 0x0A).
       charcheck = WOValidateInitialURL( url );
       if ( charcheck != WOURLOK ) {
@@ -324,6 +325,7 @@ int doit(int argc, char *argv[], char **envp) {
          _urlerr = WOURLstrerror( charcheck );
          die( _urlerr, HTTP_BAD_REQUEST );
       }
+#endif
 
       urlerr = WOParseApplicationName(&wc, url);
       if (urlerr != WOURLOK) {
diff --git a/Utilities/Adaptors/FastCGI/WebObjects.c b/Utilities/Adaptors/FastCGI/WebObjects.c
index 67fc5f58497..8e2917e0309 100644
--- a/Utilities/Adaptors/FastCGI/WebObjects.c
+++ b/Utilities/Adaptors/FastCGI/WebObjects.c
@@ -331,6 +331,7 @@ int main() {
       strcat(url, path_info);
       WOLog(WO_INFO,"<FastCGI> new request: %s",url);
 
+#ifndef __PRESERVE_UNSAFE_URLS
       // Make sure the URL does not contain forbidden characters (0x0D or 0x0A).
       charcheck = WOValidateInitialURL( url );
       if ( charcheck != WOURLOK ) {
@@ -341,6 +342,7 @@ int main() {
          WOFREE(url);
          break;
       }
+#endif
 
       urlerr = WOParseApplicationName(&wc, url);
       if (urlerr != WOURLOK) {
diff --git a/Utilities/Adaptors/IIS/WebObjects.c b/Utilities/Adaptors/IIS/WebObjects.c
index 1466589e47d..62bb37dc7ec 100644
--- a/Utilities/Adaptors/IIS/WebObjects.c
+++ b/Utilities/Adaptors/IIS/WebObjects.c
@@ -628,6 +628,7 @@ __declspec(dllexport) DWORD __stdcall HttpExtensionProc(EXTENSION_CONTROL_BLOCK
    WOLog(WO_INFO,"<WebObjects ISAPI> new request: %s", uri);
    WOFREE(script_name);
 
+#ifndef __PRESERVE_UNSAFE_URLS
    // Make sure the URL does not contain forbidden characters (0x0D or 0x0A).
    charcheck = WOValidateInitialURL( uri );
    if ( charcheck != WOURLOK ) {
@@ -636,6 +637,7 @@ __declspec(dllexport) DWORD __stdcall HttpExtensionProc(EXTENSION_CONTROL_BLOCK
       _urlerr = WOURLstrerror( charcheck );
       return die( p, _urlerr, HTTP_BAD_REQUEST );
    }
+#endif
 
    urlerr = WOParseApplicationName(&wc, uri);
    if (urlerr != WOURLOK) {