apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bert Huijben" <b...@qqmail.nl>
Subject RE: [Patch] apr_filepath_merge() on "c:path" fails consistently on Windows if the current directory is "c:/windows" instead of "C:/Windows"
Date Mon, 05 Jul 2010 20:46:26 GMT


> -----Original Message-----
> From: William A. Rowe Jr. [mailto:wrowe@rowe-clan.net]
> Sent: maandag 5 juli 2010 22:35
> To: dev@apr.apache.org
> Subject: Re: [Patch] apr_filepath_merge() on "c:path" fails
> consistently on Windows if the current directory is "c:/windows"
> instead of "C:/Windows"
> 
> This patch isn't valid.
> 
> Other applications will play games with comparisons.  Comparisons
> require
> users to call TRUEPATH.  What seems to be needed here is for
> apr_pathname_cwd
> to be returning a true path.
> 
> All other comparisons are intrinsically invalid, and this has the
> potential
> to introduce security issues in other applications which rely on
> comparing
> path names.

Too bad, that without this patch you can't call the truepath support on a merged path and
that Windows has 26 (or 27) current directories while APR assumes that there is only one.

The assumption on the upper case drive letters is applied before all the other checks, so
you don't get to fetching a true path.

And even if you would use the truepath support to normalize a path, that doesn't normalize
the drive letter casing. It just returns what you feed it.


All the security problems you mention are valid when applied to the directory parts of a path,
but can never happen on just the drive letter and this patch only changes the drive letter
check.

	Bert



Mime
View raw message