apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: [Patch] apr_filepath_merge() on "c:path" fails consistently on Windows if the current directory is "c:/windows" instead of "C:/Windows"
Date Mon, 05 Jul 2010 20:57:51 GMT
On 7/5/2010 3:46 PM, Bert Huijben wrote:
> 
> Too bad, that without this patch you can't call the truepath support on a merged path
and that Windows has 26 (or 27) current directories while APR assumes that there is only one.

Hold up... are you trying to merge non-normalized paths?

I need to have a good understanding to help resolve the underlying issue.

> The assumption on the upper case drive letters is applied before all the other checks,
so you don't get to fetching a true path.

I'll walk through this, but your conclusion sounds correct.

> And even if you would use the truepath support to normalize a path, that doesn't normalize
the drive letter casing. It just returns what you feed it.

That is a serious bug we should address, too, if it turns out that it is
possible to have win32 return both upper and lower case strings without
ever normalizing them.

> All the security problems you mention are valid when applied to the directory parts of
a path, but can never happen on just the drive letter and this patch only changes the drive
letter check.

As long as the user is lead to the conclusion that *they* are entitled to
do a strcmp(), but our results are inconsistent, we open their code to a
security issue.


Mime
View raw message