wrowe 01/08/23 15:17:19
Modified: server core.c
Log:
Increase security in core.c by testing (as we merge the path) that the
URI does not go above the DocumentRoot (as defined by the OS, not by
the URI specification), and give us the true name.
When we are done, note the name is canonical for directory_walk.
Revision Changes Path
1.40 +16 -11 httpd-2.0/server/core.c
Index: core.c
===================================================================
RCS file: /home/cvs/httpd-2.0/server/core.c,v
retrieving revision 1.39
retrieving revision 1.40
diff -u -r1.39 -r1.40
--- core.c 2001/08/23 21:56:36 1.39
+++ core.c 2001/08/23 22:17:19 1.40
@@ -2911,8 +2911,14 @@
&& (r->server->path[r->server->pathlen - 1] == '/'
|| r->uri[r->server->pathlen] == '/'
|| r->uri[r->server->pathlen] == '\0')) {
- r->filename = apr_pstrcat(r->pool, conf->ap_document_root,
- (r->uri + r->server->pathlen), NULL);
+ if (apr_filepath_merge(r->filename, conf->ap_document_root,
+ r->uri + r->server->pathlen,
+ APR_FILEPATH_TRUENAME
+ | APR_SECUREROOT_TEST, r->pool)
+ != APR_SUCCESS) {
+ return HTTP_FORBIDDEN;
+ }
+ r->canonical_filename == r->filename;
}
else {
/*
@@ -2920,15 +2926,14 @@
* /'s in a row. This happens under windows when the document
* root ends with a /
*/
- if ((conf->ap_document_root[strlen(conf->ap_document_root)-1] == '/')
- && (*(r->uri) == '/')) {
- r->filename = apr_pstrcat(r->pool, conf->ap_document_root, r->uri+1,
- NULL);
- }
- else {
- r->filename = apr_pstrcat(r->pool, conf->ap_document_root, r->uri,
- NULL);
- }
+ if (apr_filepath_merge(r->filename, conf->ap_document_root,
+ r->uri + (*(r->uri) == '/') ? 1 : 0,
+ APR_FILEPATH_TRUENAME
+ | APR_SECUREROOT_TEST, r->pool)
+ != APR_SUCCESS) {
+ return HTTP_FORBIDDEN;
+ }
+ r->canonical_filename == r->filename;
}
return OK;
|