httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r..@hyperreal.org
Subject cvs commit: apache-1.3/src/support suexec.c
Date Thu, 10 Sep 1998 09:24:00 GMT
rse         98/09/10 02:23:59

  Modified:    src      CHANGES
               src/support suexec.c
  Log:
  Fix possible buffer overflow situation in suexec.c.
  
  PS: The PR#2790 provides a few more fixes for problematic
      things in suexec.c. Because we have to be very carefully here, other
      should review them, too. That's why I commit only some of the fixes from
      this patch.
  
      The other problem we _really_ have to fix is the docroot-check at line
      428. But here the patch from the PR submitter seems to introduce a new
      problem: It accesses cwd[dlen] which can be out of memory bounds. Here
      memory bounds have to checked first.
  
      So, I would appreciate when someothers look at PR#2790, please.  At least
      the docroot-check _has_ to be fixed by us! But correctly, i.e. without
      introducing new problems, of course ;_)
  
  Submitted by: Jeff Stewart <jws@purdue.edu>
  Reviewed by: Ralf S. Engelschall
  PR: 2790
  
  Revision  Changes    Path
  1.1054    +3 -0      apache-1.3/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /export/home/cvs/apache-1.3/src/CHANGES,v
  retrieving revision 1.1053
  retrieving revision 1.1054
  diff -u -r1.1053 -r1.1054
  --- CHANGES	1998/09/10 08:58:40	1.1053
  +++ CHANGES	1998/09/10 09:23:57	1.1054
  @@ -1,5 +1,8 @@
   Changes with Apache 1.3.2
   
  +  *) Fix possible buffer overflow situation in suexec.c.
  +     [Jeff Stewart <jws@purdue.edu>] PR#2790
  +
     *) Add some more LIBS for the SCO5 platform which are needed for the already
        used -lprot. It's actually a bug in SCO5, of course.
        [Ronald Record <rr@sco.com>] PR#2533
  
  
  
  1.45      +6 -4      apache-1.3/src/support/suexec.c
  
  Index: suexec.c
  ===================================================================
  RCS file: /export/home/cvs/apache-1.3/src/support/suexec.c,v
  retrieving revision 1.44
  retrieving revision 1.45
  diff -u -r1.44 -r1.45
  --- suexec.c	1998/07/13 11:32:59	1.44
  +++ suexec.c	1998/09/10 09:23:59	1.45
  @@ -209,7 +209,11 @@
   	exit(120);
       }
   
  -    for (ep = environ; *ep && cidx < AP_ENVBUF; ep++) {
  +    sprintf(pathbuf, "PATH=%s", SAFE_PATH);
  +    cleanenv[cidx] = strdup(pathbuf);
  +    cidx++
  +
  +    for (ep = environ; *ep && cidx < AP_ENVBUF-1; ep++) {
   	if (!strncmp(*ep, "HTTP_", 5)) {
   	    cleanenv[cidx] = *ep;
   	    cidx++;
  @@ -226,9 +230,7 @@
   	}
       }
   
  -    sprintf(pathbuf, "PATH=%s", SAFE_PATH);
  -    cleanenv[cidx] = strdup(pathbuf);
  -    cleanenv[++cidx] = NULL;
  +    cleanenv[cidx] = NULL;
   
       environ = cleanenv;
   }
  
  
  

Mime
View raw message