check the URL twice, before and after path-info handling. (fixes #1230)

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@1871 152afb58-edef-0310-8abb-c4023f1b3aa9

src/mod_access.c

@@ -111,6 +111,15 @@ static int mod_access_patch_connection(server *srv, connection *con, plugin_data
 }
 #undef PATCH
 
+/**
+ * URI handler
+ *
+ * we will get called twice:
+ * - after the clean up of the URL and 
+ * - after the pathinfo checks are done
+ *
+ * this handles the issue of trailing slashes
+ */
 URIHANDLER_FUNC(mod_access_uri_handler) {
 	plugin_data *p = p_d;
 	int s_len;
@@ -122,28 +131,41 @@ URIHANDLER_FUNC(mod_access_uri_handler) {
 
 	s_len = con->uri.path->used - 1;
 
+	if (con->conf.log_request_handling) {
+ 		log_error_write(srv, __FILE__, __LINE__, "s", 
+				"-- mod_access_uri_handler called");
+	}
+
 	for (k = 0; k < p->conf.access_deny->used; k++) {
 		data_string *ds = (data_string *)p->conf.access_deny->data[k];
 		int ct_len = ds->value->used - 1;
+		int denied = 0;
 
-		if (ct_len > s_len) continue;
 
+		if (ct_len > s_len) continue;
 		if (ds->value->used == 0) continue;
 
 		/* if we have a case-insensitive FS we have to lower-case the URI here too */
 
 		if (con->conf.force_lowercase_filenames) {
 			if (0 == strncasecmp(con->uri.path->ptr + s_len - ct_len, ds->value->ptr, ct_len)) {
-				con->http_status = 403;
-
-				return HANDLER_FINISHED;
+				denied = 1;
 			}
 		} else {
 			if (0 == strncmp(con->uri.path->ptr + s_len - ct_len, ds->value->ptr, ct_len)) {
-				con->http_status = 403;
+				denied = 1;
+			}
+		}
 
-				return HANDLER_FINISHED;
+		if (denied) {
+			con->http_status = 403;
+
+			if (con->conf.log_request_handling) {
+	 			log_error_write(srv, __FILE__, __LINE__, "sb", 
+					"url denied as we match:", ds->value);
 			}
+
+			return HANDLER_FINISHED;
 		}
 	}
 
@@ -158,7 +180,8 @@ int mod_access_plugin_init(plugin *p) {
 
 	p->init        = mod_access_init;
 	p->set_defaults = mod_access_set_defaults;
-	p->handle_uri_clean  = mod_access_uri_handler;
+	p->handle_uri_clean = mod_access_uri_handler;
+	p->handle_subrequest_start  = mod_access_uri_handler;
 	p->cleanup     = mod_access_free;
 
 	p->data        = NULL;

tests/docroot/www/Makefile.am

@@ -1,5 +1,5 @@
 EXTRA_DIST=cgi.php cgi.pl dummydir index.html index.txt phpinfo.php \
 	   redirect.php cgi-pathinfo.pl get-env.php get-server-env.php \
 	   nph-status.pl prefix.fcgi get-header.pl ssi.shtml get-post-len.pl \
-	   exec-date.shtml
+	   exec-date.shtml index.html~
 SUBDIRS=go indexfile expire

tests/mod-access.t

@@ -8,7 +8,7 @@ BEGIN {
 
 use strict;
 use IO::Socket;
-use Test::More tests => 3;
+use Test::More tests => 4;
 use LightyTest;
 
 my $tf = LightyTest->new();
@@ -23,5 +23,12 @@ EOF
 $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 403 } ];
 ok($tf->handle_http($t) == 0, 'forbid access to ...~');
 
+$t->{REQUEST}  = ( <<EOF
+GET /index.html~/ HTTP/1.0
+EOF
+ );
+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 403 } ];
+ok($tf->handle_http($t) == 0, '#1230 - forbid access to ...~ - trailing slash');
+
 ok($tf->stop_proc == 0, "Stopping lighttpd");
 

tests/prepare.sh

@@ -25,6 +25,7 @@ mkdir -p $tmpdir/cache/compress/
 # copy everything into the right places
 cp $srcdir/docroot/www/*.html \
    $srcdir/docroot/www/*.php \
+   $srcdir/docroot/www/*.html~ \
    $srcdir/docroot/www/*.pl \
    $srcdir/docroot/www/*.fcgi \
    $srcdir/docroot/www/*.shtml \