use AP_EXPR_FLAG_RESTRICTED in htaccess

covener · covener · commit cfb8882f04b1 · 2026-04-26T15:59:34.000Z
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1933349 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
@@ -3686,12 +3686,17 @@ static const char *cmd_rewritecond(cmd_parms *cmd, void *in_dconf,
         newcond->regexp  = regexp;
     }
     else if (newcond->ptype == CONDPAT_AP_EXPR) {
+        int in_htaccess = cmd->pool == cmd->temp_pool;
         unsigned int flags = newcond->flags & CONDFLAG_NOVARY ?
                              AP_EXPR_FLAG_DONT_VARY : 0;
+        /* Use restricted ap_expr() parser in htaccess context. */
+        if (in_htaccess) flags |= AP_EXPR_FLAG_RESTRICTED;
         newcond->expr = ap_expr_parse_cmd(cmd, a2, flags, &err, NULL);
         if (err)
             return apr_psprintf(cmd->pool, "RewriteCond: cannot compile "
-                                "expression \"%s\": %s", a2, err);
+                                "expression%s \"%s\" %s",
+                                in_htaccess ? " in htaccess context" : "",
+                                a2, err);
     }
 
     return NULL;
diff --git a/modules/metadata/mod_setenvif.c b/modules/metadata/mod_setenvif.c
@@ -435,6 +435,12 @@ static const char *add_setenvifexpr(cmd_parms *cmd, void *mconfig,
     sei_cfg_rec *sconf;
     sei_entry *new;
     const char *err;
+    unsigned int flags = 0;
+
+    /* Use restricted ap_expr() parser in htaccess context. */
+    if (cmd->pool == cmd->temp_pool) {
+        flags |= AP_EXPR_FLAG_RESTRICTED;
+    }
 
     /*
      * Determine from our context into which record to put the entry.
@@ -458,7 +464,7 @@ static const char *add_setenvifexpr(cmd_parms *cmd, void *mconfig,
     new->regex = NULL;
     new->pattern = NULL;
     new->preg = NULL;
-    new->expr = ap_expr_parse_cmd(cmd, expr, 0, &err, NULL);
+    new->expr = ap_expr_parse_cmd(cmd, expr, flags, &err, NULL);
     if (err)
         return apr_psprintf(cmd->pool, "Could not parse expression \"%s\": %s",
                             expr, err);
diff --git a/modules/proxy/mod_proxy_fcgi.c b/modules/proxy/mod_proxy_fcgi.c
@@ -1342,9 +1342,15 @@ static const char *cmd_setenv(cmd_parms *cmd, void *in_dconf,
     const char *err;
     sei_entry *new;
     const char *envvar = arg2;
+    unsigned int flags = 0;
+
+    /* Use restricted ap_expr() parser in htaccess context. */
+    if (cmd->pool == cmd->temp_pool) {
+        flags |= AP_EXPR_FLAG_RESTRICTED;
+    }
 
     new = apr_array_push(dconf->env_fixups);
-    new->cond = ap_expr_parse_cmd(cmd, arg1, 0, &err, NULL);
+    new->cond = ap_expr_parse_cmd(cmd, arg1, flags, &err, NULL);
     if (err) {
         return apr_psprintf(cmd->pool, "Could not parse expression \"%s\": %s",
                             arg1, err);
@@ -1371,7 +1377,8 @@ static const char *cmd_setenv(cmd_parms *cmd, void *in_dconf,
             arg3 = "";
         }
 
-        new->subst = ap_expr_parse_cmd(cmd, arg3, AP_EXPR_FLAG_STRING_RESULT, &err, NULL);
+        flags |= AP_EXPR_FLAG_STRING_RESULT;
+        new->subst = ap_expr_parse_cmd(cmd, arg3, flags, &err, NULL);
         if (err) {
             return apr_psprintf(cmd->pool, "Could not parse expression \"%s\": %s",
                                 arg3, err);
