Merge pull request #3048 from airween/v3/encodedqm

Change REQUEST_FILENAME behavior
2025-08-13 13:26:01 +03:00 · 2024-01-30 16:30:25 +01:00 · 2024-01-30 16:30:25 +01:00 · d648a44ff5
commit d648a44ff5
parent a859574bf2 5f28c2bb21
2 changed files with 58 additions and 18 deletions
--- a/src/transaction.cc
+++ b/src/transaction.cc
@ -463,6 +463,14 @@ int Transaction::processURI(const char *uri, const char *method,

    size_t pos_raw_query = uri_s.find("?");

+    std::string path_info_raw;
+    if (pos_raw_query == std::string::npos) {
+        path_info_raw = std::string(uri_s, 0);
+    } else {
+        path_info_raw = std::string(uri_s, 0, pos_raw_query);
+    }
+    std::string path_info = utils::uri_decode(path_info_raw);
+
    m_uri_decoded = utils::uri_decode(uri_s);

    size_t var_size = pos_raw_query;
@ -477,15 +485,8 @@ int Transaction::processURI(const char *uri, const char *method,
    m_variableRequestProtocol.set("HTTP/" + std::string(http_version),
        m_variableOffset + requestLine.size() + 1);

-
-    size_t pos_query = m_uri_decoded.find("?");
-    if (pos_query != std::string::npos) {
-        m_uri_no_query_string_decoded = std::unique_ptr<std::string>(
-            new std::string(m_uri_decoded, 0, pos_query));
-    } else {
-        m_uri_no_query_string_decoded = std::unique_ptr<std::string>(
-            new std::string(m_uri_decoded));
-    }
+    m_uri_no_query_string_decoded = std::unique_ptr<std::string>(
+        new std::string(path_info));


    if (pos_raw_query != std::string::npos) {
@ -495,12 +496,7 @@ int Transaction::processURI(const char *uri, const char *method,
            + std::string(method).size() + 1);
    }

-    std::string path_info;
-    if (pos_query == std::string::npos) {
-        path_info = std::string(m_uri_decoded, 0);
-    } else {
-        path_info = std::string(m_uri_decoded, 0, pos_query);
-    }
+
    if (var_size == std::string::npos) {
        var_size = uri_s.size();
    }
--- a/test/test-cases/regression/variable-PATH_INFO.json
+++ b/test/test-cases/regression/variable-PATH_INFO.json
@ -2,7 +2,7 @@
  {
    "enabled":1,
    "version_min":300000,
-    "title":"Testing Variables :: PATH_INFO (1/3)",
+    "title":"Testing Variables :: PATH_INFO (1/4)",
    "client":{
      "ip":"200.249.12.31",
      "port":123
@ -46,7 +46,7 @@
  {
    "enabled":1,
    "version_min":300000,
-    "title":"Testing Variables :: PATH_INFO (2/3)",
+    "title":"Testing Variables :: PATH_INFO (2/4)",
    "client":{
      "ip":"200.249.12.31",
      "port":123
@ -90,7 +90,7 @@
  {
    "enabled":1,
    "version_min":300000,
-    "title":"Testing Variables :: PATH_INFO (3/3)",
+    "title":"Testing Variables :: PATH_INFO (3/4)",
    "client":{
      "ip":"200.249.12.31",
      "port":123
@ -130,5 +130,49 @@
      "SecRuleEngine On",
      "SecRule PATH_INFO \"@contains test \" \"id:1,phase:3,pass,t:trim\""
    ]
+  },
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"Testing Variables :: PATH_INFO (4/4)",
+    "client":{
+      "ip":"200.249.12.31",
+      "port":123
+    },
+    "server":{
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "request":{
+      "headers":{
+        "Host":"localhost",
+        "User-Agent":"curl/7.38.0",
+        "Accept":"*/*",
+        "Content-Length":"27",
+        "Content-Type":"application/x-www-form-urlencoded"
+      },
+      "uri":"/one/t%3fo/three?key=value",
+      "method":"POST",
+      "body":[
+        "param1=value1&param2=value2"
+      ]
+    },
+    "response":{
+      "headers":{
+        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+        "Content-Type":"text/html"
+      },
+      "body":[
+        "no need."
+      ]
+    },
+    "expected":{
+      "http_code": 403
+    },
+    "rules":[
+      "SecRuleEngine On",
+      "SecRule PATH_INFO \"@contains three\" \"id:1,phase:2,deny,status:403,t:trim\""
+    ]
  }
 ]