httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mar...@apache.org
Subject cvs commit: apache-1.3/src/main http_request.c
Date Mon, 12 Feb 2001 10:18:05 GMT
martin      01/02/12 02:18:05

  Modified:    src      CHANGES
               src/modules/standard mod_negotiation.c
               src/main http_request.c
  Log:
  SECURITY: The default installation could lead to mod_negotiation
  and mod_dir/mod_autoindex displaying a directory listing instead of
  the index.html.* files, if a very long path was created artificially
  by using many slashes. Now a 403 FORBIDDEN is returned.
  
  Reviewed by:	Jim Jagielski, Tony Finch
  
  Revision  Changes    Path
  1.1643    +6 -0      apache-1.3/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/CHANGES,v
  retrieving revision 1.1642
  retrieving revision 1.1643
  diff -u -u -r1.1642 -r1.1643
  --- CHANGES	2001/02/12 09:59:24	1.1642
  +++ CHANGES	2001/02/12 10:18:03	1.1643
  @@ -1,5 +1,11 @@
   Changes with Apache 1.3.18
   
  +  *) SECURITY: The default installation could lead to mod_negotiation
  +     and mod_dir/mod_autoindex displaying a directory listing instead of
  +     the index.html.* files, if a very long path was created artificially
  +     by using many slashes. Now a 403 FORBIDDEN is returned.
  +     [Martin Kraemer]
  +     
     *) Trailing slashes (if they exist) are now removed from ServerRoot,
        because there were known problems with them.
        ["William A. Rowe, Jr." <wrowe@rowe-clan.net>]
  
  
  
  1.106     +15 -0     apache-1.3/src/modules/standard/mod_negotiation.c
  
  Index: mod_negotiation.c
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/modules/standard/mod_negotiation.c,v
  retrieving revision 1.105
  retrieving revision 1.106
  diff -u -u -r1.105 -r1.106
  --- mod_negotiation.c	2001/01/15 17:05:46	1.105
  +++ mod_negotiation.c	2001/02/12 10:18:04	1.106
  @@ -895,6 +895,7 @@
       struct var_rec mime_info;
       struct accept_rec accept_info;
       void *new_var;
  +    struct { int any, all; } forbidden;
   
       clean_var_rec(&mime_info);
   
  @@ -917,6 +918,9 @@
           return HTTP_FORBIDDEN;
       }
   
  +    forbidden.any = 0;
  +    forbidden.all = 1;
  +
       while ((dir_entry = readdir(dirp))) {
           request_rec *sub_req;
   
  @@ -944,6 +948,13 @@
               sub_req->content_type = CGI_MAGIC_TYPE;
           }
   
  +        /* HTTP_FORBIDDEN is returned, e.g., if the path length limit was exceeded */
  +        /* HTTP_OK does NOT necessarily mean that the file is really readable! */
  +        if (sub_req->status == HTTP_OK)
  +            forbidden.all = 0;
  +        else if (sub_req->status == HTTP_FORBIDDEN)
  +            forbidden.any = 1;
  +
           if (sub_req->status != HTTP_OK || !sub_req->content_type) {
               ap_destroy_sub_req(sub_req);
               continue;
  @@ -989,6 +1000,10 @@
       }
   
       ap_pclosedir(neg->pool, dirp);
  +
  +    /* If all variants we considered turn out to be forbidden, then return FORBIDDEN */
  +    if (forbidden.any && forbidden.all)
  +        return HTTP_FORBIDDEN;
   
       set_vlist_validator(r, r);
   
  
  
  
  1.160     +15 -0     apache-1.3/src/main/http_request.c
  
  Index: http_request.c
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/main/http_request.c,v
  retrieving revision 1.159
  retrieving revision 1.160
  diff -u -u -r1.159 -r1.160
  --- http_request.c	2001/01/15 17:05:02	1.159
  +++ http_request.c	2001/02/12 10:18:04	1.160
  @@ -907,6 +907,21 @@
           ap_parse_uri(rnew, rnew->uri);    /* fill in parsed_uri values */
           if (stat(rnew->filename, &rnew->finfo) < 0) {
               rnew->finfo.st_mode = 0;
  +#ifdef ENAMETOOLONG
  +            /* Special case for filenames which exceed the maximum limit
  +	     * imposed by the operating system (~1024). These should
  +	     * NOT be treated like "file not found", because there is
  +	     * a difference between "the file is not there" and
  +	     * "the file exists, but you tried to access it using a
  +	     * path which exceeds the path length limit".
  +	     * The idea here is to handle DoS attacks with long
  +	     * runs of //////'s in a graceful and secure manner.
  +	     */
  +            if (errno == ENAMETOOLONG) {
  +                rnew->status = HTTP_FORBIDDEN;
  +                return rnew;
  +            }
  +#endif
           }
   
           if ((res = check_safe_file(rnew))) {
  
  
  

Mime
View raw message