httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From f...@locus.apache.org
Subject cvs commit: apache-1.3/src/main http_vhost.c
Date Fri, 10 Nov 2000 01:30:58 GMT
fanf        00/11/09 17:30:57

  Modified:    .        STATUS
               src      CHANGES
               src/main http_vhost.c
  Log:
  In mass hosting setups (using mod_vhost_alias or mod_rewrite) where
  the hostname is interpolated into the filename, we need to be sure
  that the result of interpolation doesn't expose parts of the
  filesystem that should be private. This was done by checking the
  syntax of the Host: header according to RFC 1123 and RFC 952. However,
  many people have broken configurations that violate this syntax
  (frequently because they use underscores in their names), and it also
  doesn't accommodate the current effort to internationalize the DNS. I
  don't think the former is a compelling reason to relax the syntax
  checking, but the latter does justify this change.
  
  The only RFC on internationalized DNS at the moment is RFC 2825 which
  is an introduction to how difficult the whole thing is; the other
  official documentation is a pile of Internet Drafts produced by the
  Internationalized Domain Names Working Group of the IETF (with names
  starting "draft-ietf-idn-"). However they have very little to say
  about URIs, and the current Internet draft about internationalized
  URIs (draft-masinter-url-i18n-05) has very little to say about
  hostnames :-( On the gripping hand there is some useful information at
  <http://www.apng.org/idns/> where there is some iDNS testbed work
  going on. The basic idea is that although the format of the hostnames
  in the DNS itself remains compatible with RFC 1123, the actual
  hostname presented to the resolver is in UTF8, and therefore the
  hostname in the URL and Host: header is also in UTF8.
  
  This change relaxes the checking so that only character sequences that
  are sensitive to the filesystem are rejected, i.e. forward slashes,
  backward slashes, and sequences of more than one dot.
  
  PR: 6635
  
  Revision  Changes    Path
  1.859     +1 -8      apache-1.3/STATUS
  
  Index: STATUS
  ===================================================================
  RCS file: /home/cvs/apache-1.3/STATUS,v
  retrieving revision 1.858
  retrieving revision 1.859
  diff -u -u -r1.858 -r1.859
  --- STATUS	2000/11/06 22:08:36	1.858
  +++ STATUS	2000/11/10 01:30:55	1.859
  @@ -1,5 +1,5 @@
     1.3 STATUS:
  -  Last modified at [$Date: 2000/11/06 22:08:36 $]
  +  Last modified at [$Date: 2000/11/10 01:30:55 $]
   
   Release:
   
  @@ -35,13 +35,6 @@
         Message-ID: <20001101001706.G16227@hand.dotat.at>
         which has now been committed. There have been a couple of
         reports that it fixes the problem.
  -
  -    * Parse the ServerName arg for invalid characters at startup.
  -      Bug report 6787 and others are very confused that these bugs
  -      don't appear until requests to the invalid hostname are
  -      rejected in http_protocol.c - wasting bug reviewers time.
  -      This problem can also be addressed by relaxing the host
  -      header syntax check. fanf has a patch.
   
   RELEASE NON-SHOWSTOPPERS BUT WOULD BE REAL NICE TO WRAP THESE UP:
   
  
  
  
  1.1598    +3 -0      apache-1.3/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/CHANGES,v
  retrieving revision 1.1597
  retrieving revision 1.1598
  diff -u -u -r1.1597 -r1.1598
  --- CHANGES	2000/11/06 22:11:07	1.1597
  +++ CHANGES	2000/11/10 01:30:56	1.1598
  @@ -1,5 +1,8 @@
   Changes with Apache 1.3.15
   
  +  *) Relax the syntax checking of Host: headers in order to support
  +     iDNS. PR#6635 [Tony Finch]
  +
     *) Fix Content-Length calculation when doing Range header processing.
        This makes PDF byteserving work again. PR#6711 [Tony Finch]
   
  
  
  
  1.21      +19 -13    apache-1.3/src/main/http_vhost.c
  
  Index: http_vhost.c
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/main/http_vhost.c,v
  retrieving revision 1.20
  retrieving revision 1.21
  diff -u -u -r1.20 -r1.21
  --- http_vhost.c	2000/09/28 09:26:02	1.20
  +++ http_vhost.c	2000/11/10 01:30:57	1.21
  @@ -685,6 +685,16 @@
   
   /* Lowercase and remove any trailing dot and/or :port from the hostname,
    * and check that it is sane.
  + *
  + * In most configurations the exact syntax of the hostname isn't
  + * important so strict sanity checking isn't necessary. However, in
  + * mass hosting setups (using mod_vhost_alias or mod_rewrite) where
  + * the hostname is interpolated into the filename, we need to be sure
  + * that the interpolation doesn't expose parts of the filesystem.
  + * We don't do strict RFC 952 / RFC 1123 syntax checking in order
  + * to support iDNS and people who erroneously use underscores.
  + * Instead we just check for filesystem metacharacters: directory
  + * separators / and \ and sequences of more than one dot.
    */
   static void fix_hostname(request_rec *r)
   {
  @@ -696,21 +706,17 @@
       src = r->hostname;
       dst = host;
       while (*src) {
  -	if (!ap_isalnum(*src) && *src != '-') {
  -	    if (*src == '.') {
  -		*dst++ = *src++;
  -		if (*src == '.')
  -		    goto bad;
  -		else
  -		    continue;
  -	    }
  -	    if (*src == ':')
  -		break;
  -	    else
  -		goto bad;
  -	} else {
  +	if (*src == '.') {
   	    *dst++ = *src++;
  +	    if (*src == '.')
  +		goto bad;
  +	    else
  +		continue;
  +	}
  +	if (*src == '/' || *src == '\\') {
  +	    goto bad;
   	}
  +	*dst++ = *src++;
       }
       /* check the port part */
       if (*src++ == ':') {
  
  
  

Mime
View raw message