httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From f...@locus.apache.org
Subject cvs commit: apache-1.3/src/main http_vhost.c
Date Thu, 28 Sep 2000 09:26:10 GMT
fanf        00/09/28 02:26:07

  Modified:    src      CHANGES
               src/main http_vhost.c
  Log:
  Tighten up the syntax checking of Host: headers to fix a
  security bug in some mass virtual hosting configurations
  that can allow a remote attacker to retrieve some files
  on the system that should be inaccessible. The problem
  occured with requests including the line "Host: ..." --
  the last dot is stripped and the remaining ".." then
  reveals a parent directory.
  
  Reported by: Peter Christoffersen <pch@mindpass.com>
  Message-ID: <8quts6$2el$1@news.inet.tele.dk>
  Newsgroups: comp.infosystems.www.servers.unix
  
  Revision  Changes    Path
  1.1581    +5 -0      apache-1.3/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/CHANGES,v
  retrieving revision 1.1580
  retrieving revision 1.1581
  diff -u -u -r1.1580 -r1.1581
  --- CHANGES	2000/09/25 20:24:16	1.1580
  +++ CHANGES	2000/09/28 09:25:56	1.1581
  @@ -1,5 +1,10 @@
   Changes with Apache 1.3.13
   
  +  *) Tighten up the syntax checking of Host: headers to fix a
  +     security bug in some mass virtual hosting configurations
  +     that can allow a remote attacker to retrieve some files
  +     on the system that should be inaccessible. [Tony Finch]
  +
     *) Add support for /, //, //servername and //server/sharename 
        parsing of <Directory > blocks under Win32 and OS2.
        [Tim Costello, William Rowe, Brian Harvard]
  
  
  
  1.20      +8 -1      apache-1.3/src/main/http_vhost.c
  
  Index: http_vhost.c
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/main/http_vhost.c,v
  retrieving revision 1.19
  retrieving revision 1.20
  diff -u -u -r1.19 -r1.20
  --- http_vhost.c	2000/09/12 16:32:38	1.19
  +++ http_vhost.c	2000/09/28 09:26:02	1.20
  @@ -696,7 +696,14 @@
       src = r->hostname;
       dst = host;
       while (*src) {
  -	if (!ap_isalnum(*src) && *src != '.' && *src != '-') {
  +	if (!ap_isalnum(*src) && *src != '-') {
  +	    if (*src == '.') {
  +		*dst++ = *src++;
  +		if (*src == '.')
  +		    goto bad;
  +		else
  +		    continue;
  +	    }
   	    if (*src == ':')
   		break;
   	    else
  
  
  

Mime
View raw message