httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From m...@hyperreal.org
Subject cvs commit: apache-1.3/src/modules/standard mod_include.c
Date Mon, 09 Nov 1998 07:03:21 GMT
marc        98/11/08 23:03:20

  Modified:    src      CHANGES
               src/modules/standard mod_include.c
  Log:
  Add more extensive checks to mod_include to avoid infinite recursive
  includes.
  
  The logic used is commented in the source.  It should be complete
  for the current Apache code base, but if something else starts modifying
  r->filename outside of a filename translation stage that could change.
  
  The code scans, at each stage, every subrequest for each level of
  an internal redirect so it ends up being O(n^2) total in the
  number of subrequests and internal redirects, but that shouldn't
  be an issue.
  
  PR: 3323
  
  Revision  Changes    Path
  1.1142    +3 -0      apache-1.3/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /export/home/cvs/apache-1.3/src/CHANGES,v
  retrieving revision 1.1141
  retrieving revision 1.1142
  diff -u -r1.1141 -r1.1142
  --- CHANGES	1998/11/08 21:24:03	1.1141
  +++ CHANGES	1998/11/09 07:03:16	1.1142
  @@ -1,5 +1,8 @@
   Changes with Apache 1.3.4
   
  +  *) SECURITY: Do a more complete check in mod_include to avoid 
  +     an infinite loop of recursive SSI includes.  [Marc Slemko] PR#3323
  +
     *) Add APACI --suexec-docroot and --suexec-logfile options which can be
        used to set the document root directory (DOC_ROOT) and the suexec
        logfile (LOG_EXEC), respectively. Additionally the --layout option
  
  
  
  1.106     +33 -5     apache-1.3/src/modules/standard/mod_include.c
  
  Index: mod_include.c
  ===================================================================
  RCS file: /export/home/cvs/apache-1.3/src/modules/standard/mod_include.c,v
  retrieving revision 1.105
  retrieving revision 1.106
  diff -u -r1.105 -r1.106
  --- mod_include.c	1998/09/24 14:06:42	1.105
  +++ mod_include.c	1998/11/09 07:03:19	1.106
  @@ -688,13 +688,41 @@
                       "in parsed file %s";
               }
               if (error_fmt == NULL) {
  +		/* try to avoid recursive includes.  We do this by walking
  +		 * up the r->main list of subrequests, and at each level
  +		 * walking back through any internal redirects.  At each
  +		 * step, we compare the filenames and the URIs.  
  +		 *
  +		 * The filename comparison catches a recursive include
  +		 * with an ever-changing URL, eg.
  +		 * <!--#include virtual=
  +		 *      "$REQUEST_URI/$QUERY_STRING?$QUERY_STRING/x"-->
  +		 * which, although they would eventually be caught because
  +		 * we have a limit on the length of files, etc., can 
  +		 * recurse for a while.
  +		 *
  +		 * The URI comparison catches the case where the filename
  +		 * is changed while processing the request, so the 
  +		 * current name is never the same as any previous one.
  +		 * This can happen with "DocumentRoot /foo" when you
  +		 * request "/" on the server and it includes "/".
  +		 * This only applies to modules such as mod_dir that 
  +		 * (somewhat improperly) mess with r->filename outside 
  +		 * of a filename translation phase.
  +		 */
  +		int founddupe = 0;
                   request_rec *p;
  +                for (p = r; p != NULL && !founddupe; p = p->main) {
  +		    request_rec *q;
  +		    for (q = p; q != NULL; q = q->prev) {
  +			if ( (strcmp(q->filename, rr->filename) == 0) ||
  +			     (strcmp(q->uri, rr->uri) == 0) ){
  +			    founddupe = 1;
  +			    break;
  +			}
  +		    }
  +		}
   
  -                for (p = r; p != NULL; p = p->main) {
  -                    if (strcmp(p->filename, rr->filename) == 0) {
  -                        break;
  -                    }
  -                }
                   if (p != NULL) {
                       error_fmt = "Recursive include of \"%s\" "
                           "in parsed file %s";
  
  
  

Mime
View raw message