Change REQUEST_FILENAME behavior

[sonarcloud[bot]]

Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

[liudongmiao]

I don't know why I didn't make a pr, even make a issue. However, our version is patched in 2022:

// It's patched just the use of path_info.

--- src/transaction.cc  2022-03-19 13:59:14.000000000 +0800
+++ /tmp/transaction.cc 2024-02-02 17:46:05.000000000 +0800
@@ -463,6 +463,14 @@ int Transaction::processURI(const char *

     size_t pos_raw_query = uri_s.find("?");

+    std::string path_info_raw;
+    if (pos_raw_query == std::string::npos) {
+        path_info_raw = std::string(uri_s, 0);
+    } else {
+        path_info_raw = std::string(uri_s, 0, pos_raw_query);
+    }
+    std::string path_info = utils::uri_decode(path_info_raw);
+
     m_uri_decoded = utils::uri_decode(uri_s);

     size_t var_size = pos_raw_query;
@@ -477,14 +485,6 @@ int Transaction::processURI(const char *
     m_variableRequestProtocol.set("HTTP/" + std::string(http_version),
         m_variableOffset + requestLine.size() + 1);

-
-    std::string path_info;
-    if (pos_raw_query == std::string::npos) {
-        path_info = std::string(uri_s, 0);
-    } else {
-        path_info = std::string(uri_s, 0, pos_raw_query);
-    }
-    path_info = utils::uri_decode(path_info);
     m_uri_no_query_string_decoded = std::unique_ptr<std::string>(
             new std::string(path_info));

@@ -496,6 +496,7 @@ int Transaction::processURI(const char *

Should I review all our changes, and try to make PR or issue?

[airween]

I don't know why I didn't make a pr, even make a issue. However, our version is patched in 2022:

Well, there are a few of us who walk this path :)

Should I review all our changes, and try to make PR or issue?

Sure, let's see and discuss it. Also, there is a channel on OWASP's Slack where you can join to - the name is #project-modsecurity.