httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dgau...@hyperreal.org
Subject cvs commit: apache-1.2/src CHANGES mod_userdir.c
Date Sat, 14 Feb 1998 03:39:20 GMT
dgaudet     98/02/13 19:39:20

  Modified:    src      CHANGES mod_userdir.c
  Log:
  Deal with /~.. and lame UserDir /abspath.
  
  PR:		1701
  Submitted by:	Lauri Jesmin <jesmin@ut.ee>
  Reviewed by:	Dean Gaudet, Marc Slemko
  
  Revision  Changes    Path
  1.294     +5 -0      apache-1.2/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /export/home/cvs/apache-1.2/src/CHANGES,v
  retrieving revision 1.293
  retrieving revision 1.294
  diff -u -r1.293 -r1.294
  --- CHANGES	1998/02/14 02:51:36	1.293
  +++ CHANGES	1998/02/14 03:39:18	1.294
  @@ -1,5 +1,10 @@
   Changes with Apache 1.2.6
   
  +  *) SECURITY: "UserDir /abspath" without a * in the path would allow
  +     remote users to access "/~.." and bypass access restrictions
  +     (but note /~../.. was handled properly).
  +     [Lauri Jesmin <jesmin@ut.ee>] PR#1701
  +
     *) mod_rewrite's RewriteLog should behave like mod_log_config, it
        shouldn't force hostname lookups.  [Dean Gaudet] PR#1684
   
  
  
  
  1.16      +2 -1      apache-1.2/src/mod_userdir.c
  
  Index: mod_userdir.c
  ===================================================================
  RCS file: /export/home/cvs/apache-1.2/src/mod_userdir.c,v
  retrieving revision 1.15
  retrieving revision 1.16
  diff -u -r1.15 -r1.16
  --- mod_userdir.c	1998/01/30 09:14:10	1.15
  +++ mod_userdir.c	1998/02/14 03:39:18	1.16
  @@ -128,7 +128,8 @@
         dname = name + 2;
         w = getword(r->pool, &dname, '/');
   
  -      if (!strcmp(w, ""))
  +      /* disallow the empty username, . and .. */
  +      if (w[0] == '\0' || (w[1] == '.' && (w[2] == '\0' || (w[2] == '.' &&
w[3] == '\0'))))
   	return DECLINED;
   
         /* The 'dname' funny business involves backing it up to capture
  
  
  

Mime
View raw message