From 4c8b6ad77ad9cbc86c283f0909f954f078dbda7c Mon Sep 17 00:00:00 2001
From: Aaron Hicks <hicksa@landcareresearch.co.nz>
Date: Mon, 29 Sep 2014 14:15:51 +1300
Subject: [PATCH] AllowEncodedSlashes can have a server default set with the
 apache class, and overridden with an apache::vhost declaration

---
 README.md                   |  8 ++++++++
 manifests/init.pp           |  5 +++++
 manifests/vhost.pp          |  9 +++++++++
 spec/classes/apache_spec.rb | 16 ++++++++++++++++
 spec/defines/vhost_spec.rb  |  1 +
 templates/httpd.conf.erb    |  3 +++
 templates/vhost.conf.erb    |  3 +++
 7 files changed, 45 insertions(+)

diff --git a/README.md b/README.md
index d5e388f57..8472cad87 100644
--- a/README.md
+++ b/README.md
@@ -226,6 +226,10 @@ You may establish a default vhost in this class, the `vhost` class, or both. You
 
 **Parameters within `apache`:**
 
+#####`allow_encoded_slashes`
+
+This sets the server default for the [`AllowEncodedSlashes` declaration](http://httpd.apache.org/docs/current/mod/core.html#allowencodedslashes) which modifies the responses to URLs with `\` and `/` characters. The default is undefined, which will omit the declaration from the server configuration and select the Apache default setting of `Off`. Allowed values are: `on`, `off` or `nodecode`.
+
 #####`apache_version`
 
 Configures the behavior of the module templates, package names, and default mods by setting the Apache version. Default is determined by the class `apache::version` using the OS family and release. It should not be configured manually without special reason.
@@ -902,6 +906,10 @@ For `alias` and `aliasmatch` to work, each will need a corresponding context, su
 
 *Note:* If `apache::mod::passenger` is loaded and `PassengerHighPerformance => true` is set, then Alias may have issues honoring the `PassengerEnabled => off` statement. See [this article](http://www.conandalton.net/2010/06/passengerenabled-off-not-working.html) for details.
 
+#####`allow_encoded_slashes`
+
+This sets the [`AllowEncodedSlashes` declaration](http://httpd.apache.org/docs/current/mod/core.html#allowencodedslashes) for the vhost, overriding the server default. This modifies the vhost responses to URLs with `\` and `/` characters. The default is undefined, which will omit the declaration from the server configuration and select the Apache default setting of `Off`. Allowed values are: `on`, `off` or `nodecode`.
+
 #####`block`
 
 Specifies the list of things Apache will block access to. The default is an empty set, '[]'. Currently, the only option is 'scm', which blocks web access to .svn, .git and .bzr directories.
diff --git a/manifests/init.pp b/manifests/init.pp
index 74e3d6a05..b5e920457 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -63,6 +63,7 @@
   $server_tokens          = 'OS',
   $server_signature       = 'On',
   $trace_enable           = 'On',
+  $allow_encoded_slashes  = undef,
   $package_ensure         = 'installed',
 ) inherits ::apache::params {
   validate_bool($default_vhost)
@@ -80,6 +81,10 @@
     validate_re($mpm_module, $valid_mpms_re)
   }
 
+  if $allow_encoded_slashes {
+    validate_re($allow_encoded_slashes, '(^on$|^off$|^nodecode$)', "${allow_encoded_slashes} is not permitted for allow_encoded_slashes. Allowed values are 'on', 'off' or 'nodecode'.")
+  }
+
   # NOTE: on FreeBSD it's mpm module's responsibility to install httpd package.
   # NOTE: the same strategy may be introduced for other OSes. For this, you
   # should delete the 'if' block below and modify all MPM modules' manifests
diff --git a/manifests/vhost.pp b/manifests/vhost.pp
index 1586f34a3..0f28d728d 100644
--- a/manifests/vhost.pp
+++ b/manifests/vhost.pp
@@ -96,6 +96,7 @@
   $fastcgi_dir                 = undef,
   $additional_includes         = [],
   $apache_version              = $::apache::apache_version,
+  $allow_encoded_slashes       = undef,
   $suexec_user_group           = undef,
 ) {
   # The base class must be included first because it is used by parameter defaults
@@ -122,6 +123,8 @@
     validate_hash($rewrites[0])
   }
 
+  # Input validation begins
+
   if $suexec_user_group {
     validate_re($suexec_user_group, '^\w+ \w+$',
     "${suexec_user_group} is not supported for suexec_user_group.  Must be 'user group'.")
@@ -182,6 +185,12 @@
     validate_string($custom_fragment)
   }
 
+  if $allow_encoded_slashes {
+    validate_re($allow_encoded_slashes, '(^on$|^off$|^nodecode$)', "${allow_encoded_slashes} is not permitted for allow_encoded_slashes. Allowed values are 'on', 'off' or 'nodecode'.")
+  }
+
+  # Input validation ends
+
   if $ssl and $ensure == 'present' {
     include ::apache::mod::ssl
     # Required for the AddType lines.
diff --git a/spec/classes/apache_spec.rb b/spec/classes/apache_spec.rb
index 198f1138b..dc5d6b46a 100644
--- a/spec/classes/apache_spec.rb
+++ b/spec/classes/apache_spec.rb
@@ -94,6 +94,14 @@
       it { is_expected.to contain_file("/etc/apache2/apache2.conf").with_content %r{^IncludeOptional "/etc/apache2/conf\.d/\*\.conf"$} }
     end
 
+    context "when specifying slash encoding behaviour" do
+      let :params do
+        { :allow_encoded_slashes => 'nodecode' }
+      end
+
+      it { is_expected.to contain_file("/etc/apache2/apache2.conf").with_content %r{^AllowEncodedSlashes nodecode$} }
+    end
+
     # Assert that both load files and conf files are placed and symlinked for these mods
     [
       'alias',
@@ -305,6 +313,14 @@
         it { is_expected.to contain_file("/etc/httpd/conf/httpd.conf").with_content %r{^IncludeOptional "/etc/httpd/conf\.d/\*\.conf"$} }
       end
 
+      context "when specifying slash encoding behaviour" do
+        let :params do
+          { :allow_encoded_slashes => 'nodecode' }
+        end
+
+        it { is_expected.to contain_file("/etc/httpd/conf/httpd.conf").with_content %r{^AllowEncodedSlashes nodecode$} }
+      end
+
       it { is_expected.to contain_file("/etc/httpd/conf/httpd.conf").with_content %r{^Include "/etc/httpd/site\.d/\*"$} }
       it { is_expected.to contain_file("/etc/httpd/conf/httpd.conf").with_content %r{^Include "/etc/httpd/mod\.d/\*\.conf"$} }
       it { is_expected.to contain_file("/etc/httpd/conf/httpd.conf").with_content %r{^Include "/etc/httpd/mod\.d/\*\.load"$} }
diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb
index c5e1fe05e..5908a7ede 100644
--- a/spec/defines/vhost_spec.rb
+++ b/spec/defines/vhost_spec.rb
@@ -231,6 +231,7 @@
           'additional_includes'         => '/custom/path/includes',
           'apache_version'              => '2.4',
           'suexec_user_group'           => 'root root',
+          'allow_encoded_slashes'       => 'nodecode'
         }
       end
       let :facts do
diff --git a/templates/httpd.conf.erb b/templates/httpd.conf.erb
index cac3aaf10..68d6b50ae 100644
--- a/templates/httpd.conf.erb
+++ b/templates/httpd.conf.erb
@@ -35,6 +35,9 @@ HostnameLookups Off
 ErrorLog "<%= @logroot %>/<%= @error_log %>"
 LogLevel <%= @log_level %>
 EnableSendfile <%= @sendfile %>
+<%- if @allow_encoded_slashes -%>
+AllowEncodedSlashes <%= @allow_encoded_slashes %>
+<%- end -%>
 
 #Listen 80
 
diff --git a/templates/vhost.conf.erb b/templates/vhost.conf.erb
index 95ad3ce7d..859a3ae7f 100644
--- a/templates/vhost.conf.erb
+++ b/templates/vhost.conf.erb
@@ -22,6 +22,9 @@
 <% if @fallbackresource -%>
   FallbackResource <%= @fallbackresource %>
 <% end -%>
+<%- if @allow_encoded_slashes -%>
+  AllowEncodedSlashes <%= @allow_encoded_slashes %>
+<%- end -%>
 
   ## Directories, there should at least be a declaration for <%= @docroot %>
 <%= scope.function_template(['apache/vhost/_directories.erb']) -%>