From f0e5c1415d764c47493c3f2c814495689966c024 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stefan=20B=C3=BChler?= <stbuehler@web.de>
Date: Fri, 10 Jan 2014 12:04:59 +0000
Subject: [PATCH] [core] decode URL before rewrite, enabling it to work in
 $HTTP["url"] conditionals (fixes #2526)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

From: Stefan Bühler <stbuehler@web.de>

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2927 152afb58-edef-0310-8abb-c4023f1b3aa9
---
 NEWS              |  1 +
 src/mod_rewrite.c |  2 --
 src/response.c    | 78 ++++++++++++++++++++++-------------------------
 3 files changed, 37 insertions(+), 44 deletions(-)

diff --git a/NEWS b/NEWS
index 97096fa1..a431e53a 100644
--- a/NEWS
+++ b/NEWS
@@ -13,6 +13,7 @@ NEWS
   * [core] check success of setuid,setgid,setgroups (CVE-2013-4559)
   * [ssl] fix regression from CVE-2013-4508 (client-cert sessions were broken)
   * maintain physical.basedir (the "acting" doc-root as prefix of physical.path) in more places
+  * [core] decode URL before rewrite, enabling it to work in $HTTP["url"] conditionals (fixes #2526)
 
 - 1.4.33 - 2013-09-27
   * mod_fastcgi: fix mix up of "mode" => "authorizer" in other fastcgi configs (fixes #2465, thx peex)
diff --git a/src/mod_rewrite.c b/src/mod_rewrite.c
index 5d1f8322..988dfd74 100644
--- a/src/mod_rewrite.c
+++ b/src/mod_rewrite.c
@@ -296,8 +296,6 @@ static int mod_rewrite_patch_connection(server *srv, connection *con, plugin_dat
 		data_config *dc = (data_config *)srv->config_context->data[i];
 		s = p->config_storage[i];
 
-		if (COMP_HTTP_URL == dc->comp) continue;
-
 		/* condition didn't match */
 		if (!config_check_cond(srv, con, dc)) continue;
 
diff --git a/src/response.c b/src/response.c
index 521ab85c..eb5c2f2a 100644
--- a/src/response.c
+++ b/src/response.c
@@ -305,13 +305,44 @@ handler_t http_response_prepare(server *srv, connection *con) {
 			buffer_copy_string_buffer(con->uri.path_raw, con->request.uri);
 		}
 
+		/* decode url to path
+		 *
+		 * - decode url-encodings  (e.g. %20 -> ' ')
+		 * - remove path-modifiers (e.g. /../)
+		 */
+
+		if (con->request.http_method == HTTP_METHOD_OPTIONS &&
+		    con->uri.path_raw->ptr[0] == '*' && con->uri.path_raw->ptr[1] == '\0') {
+			/* OPTIONS * ... */
+			buffer_copy_string_buffer(con->uri.path, con->uri.path_raw);
+		} else {
+			buffer_copy_string_buffer(srv->tmp_buf, con->uri.path_raw);
+			buffer_urldecode_path(srv->tmp_buf);
+			buffer_path_simplify(con->uri.path, srv->tmp_buf);
+		}
+
+		config_patch_connection(srv, con, COMP_HTTP_URL); /* HTTPurl */
+		config_patch_connection(srv, con, COMP_HTTP_QUERY_STRING); /* HTTPqs */
+
+#ifdef USE_OPENSSL
+		if (con->srv_socket->is_ssl && con->conf.ssl_verifyclient) {
+			https_add_ssl_entries(con);
+		}
+#endif
+
+		/* do we have to downgrade to 1.0 ? */
+		if (!con->conf.allow_http11) {
+			con->request.http_version = HTTP_VERSION_1_0;
+		}
+
 		if (con->conf.log_request_handling) {
 			log_error_write(srv, __FILE__, __LINE__,  "s",  "-- splitting Request-URI");
-			log_error_write(srv, __FILE__, __LINE__,  "sb", "Request-URI  : ", con->request.uri);
-			log_error_write(srv, __FILE__, __LINE__,  "sb", "URI-scheme   : ", con->uri.scheme);
-			log_error_write(srv, __FILE__, __LINE__,  "sb", "URI-authority: ", con->uri.authority);
-			log_error_write(srv, __FILE__, __LINE__,  "sb", "URI-path     : ", con->uri.path_raw);
-			log_error_write(srv, __FILE__, __LINE__,  "sb", "URI-query    : ", con->uri.query);
+			log_error_write(srv, __FILE__, __LINE__,  "sb", "Request-URI     : ", con->request.uri);
+			log_error_write(srv, __FILE__, __LINE__,  "sb", "URI-scheme      : ", con->uri.scheme);
+			log_error_write(srv, __FILE__, __LINE__,  "sb", "URI-authority   : ", con->uri.authority);
+			log_error_write(srv, __FILE__, __LINE__,  "sb", "URI-path (raw)  : ", con->uri.path_raw);
+			log_error_write(srv, __FILE__, __LINE__,  "sb", "URI-path (clean): ", con->uri.path);
+			log_error_write(srv, __FILE__, __LINE__,  "sb", "URI-query       : ", con->uri.query);
 		}
 
 
@@ -336,35 +367,6 @@ handler_t http_response_prepare(server *srv, connection *con) {
 			break;
 		}
 
-		/* build filename
-		 *
-		 * - decode url-encodings  (e.g. %20 -> ' ')
-		 * - remove path-modifiers (e.g. /../)
-		 */
-
-
-
-		if (con->request.http_method == HTTP_METHOD_OPTIONS &&
-		    con->uri.path_raw->ptr[0] == '*' && con->uri.path_raw->ptr[1] == '\0') {
-			/* OPTIONS * ... */
-			buffer_copy_string_buffer(con->uri.path, con->uri.path_raw);
-		} else {
-			buffer_copy_string_buffer(srv->tmp_buf, con->uri.path_raw);
-			buffer_urldecode_path(srv->tmp_buf);
-			buffer_path_simplify(con->uri.path, srv->tmp_buf);
-		}
-
-		if (con->conf.log_request_handling) {
-			log_error_write(srv, __FILE__, __LINE__,  "s",  "-- sanitising URI");
-			log_error_write(srv, __FILE__, __LINE__,  "sb", "URI-path     : ", con->uri.path);
-		}
-
-#ifdef USE_OPENSSL
-		if (con->srv_socket->is_ssl && con->conf.ssl_verifyclient) {
-			https_add_ssl_entries(con);
-		}
-#endif
-
 		/**
 		 *
 		 * call plugins
@@ -373,14 +375,6 @@ handler_t http_response_prepare(server *srv, connection *con) {
 		 *
 		 */
 
-		config_patch_connection(srv, con, COMP_HTTP_URL); /* HTTPurl */
-		config_patch_connection(srv, con, COMP_HTTP_QUERY_STRING); /* HTTPqs */
-
-		/* do we have to downgrade to 1.0 ? */
-		if (!con->conf.allow_http11) {
-			con->request.http_version = HTTP_VERSION_1_0;
-		}
-
 		switch(r = plugins_call_handle_uri_clean(srv, con)) {
 		case HANDLER_GO_ON:
 			break;