httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From m...@apache.org
Subject cvs commit: apache-1.3/src/support split-logfile
Date Sun, 29 Jul 2001 21:37:46 GMT
marc        01/07/29 14:37:46

  Modified:    src      CHANGES
               src/support split-logfile
  Log:
  Add a modified form of the patch in PR 7848 to prevent people
  from using specially crafted vhost names to write to any .log file on
  the system.
  
  PR: 7848
  Submitted by:	Daniel Matuschek <daniel.matuschek@swisscom.com> and Marc Slemko
  
  Revision  Changes    Path
  1.1695    +7 -0      apache-1.3/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/CHANGES,v
  retrieving revision 1.1694
  retrieving revision 1.1695
  diff -u -r1.1694 -r1.1695
  --- CHANGES	2001/07/16 06:29:07	1.1694
  +++ CHANGES	2001/07/29 21:37:46	1.1695
  @@ -1,5 +1,12 @@
   Changes with Apache 1.3.21
   
  +  *) SECURITY: Make support/split-logfile use the default log file if
  +     "/" or "\" are present in the virtual host name.  This prevents
  +     the possible use of specially crafted virtual host names in
  +     some configurations to allow writing to any .log file on the
  +     system.  [Daniel Matuschek <daniel.matuschek@swisscom.com>,
  +     Marc Slemko]  PR#7848
  +
     *) Added a directive: "AcceptFilter <on|off>". To control BSD 
        acccept filters when at compile time SO_ACCEPT_FILTER is 
        detected. The default is still 'on' except when, at compile
  
  
  
  1.8       +5 -0      apache-1.3/src/support/split-logfile
  
  Index: split-logfile
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/support/split-logfile,v
  retrieving revision 1.7
  retrieving revision 1.8
  diff -u -r1.7 -r1.8
  --- split-logfile	2001/01/15 17:06:39	1.7
  +++ split-logfile	2001/07/29 21:37:46	1.8
  @@ -87,6 +87,11 @@
       #
       $vhost = lc ($vhost) or "access";
       #
  +    # if the vhost contains a "/" or "\", it is illegal so just use 
  +    # the default log to avoid any security issues due if it is interprted
  +    # as a directory separator.
  +    if ($vhost =~ m#[/\\]#) { $vhost = "access" }
  +    #
       # If the log file for this virtual host isn't opened
       # yet, do it now.
       #
  
  
  

Mime
View raw message