httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wr...@apache.org
Subject cvs commit: httpd-2.0/server core.c
Date Thu, 23 Aug 2001 22:17:19 GMT
wrowe       01/08/23 15:17:19

  Modified:    server   core.c
  Log:
    Increase security in core.c by testing (as we merge the path) that the
    URI does not go above the DocumentRoot (as defined by the OS, not by
    the URI specification), and give us the true name.
  
    When we are done, note the name is canonical for directory_walk.
  
  Revision  Changes    Path
  1.40      +16 -11    httpd-2.0/server/core.c
  
  Index: core.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/server/core.c,v
  retrieving revision 1.39
  retrieving revision 1.40
  diff -u -r1.39 -r1.40
  --- core.c	2001/08/23 21:56:36	1.39
  +++ core.c	2001/08/23 22:17:19	1.40
  @@ -2911,8 +2911,14 @@
   	&& (r->server->path[r->server->pathlen - 1] == '/'
   	    || r->uri[r->server->pathlen] == '/'
   	    || r->uri[r->server->pathlen] == '\0')) {
  -        r->filename = apr_pstrcat(r->pool, conf->ap_document_root,
  -				 (r->uri + r->server->pathlen), NULL);
  +        if (apr_filepath_merge(r->filename, conf->ap_document_root,
  +			       r->uri + r->server->pathlen, 
  +                               APR_FILEPATH_TRUENAME 
  +                             | APR_SECUREROOT_TEST, r->pool)
  +                    != APR_SUCCESS) {
  +            return HTTP_FORBIDDEN;
  +        }
  +        r->canonical_filename == r->filename;
       }
       else {
   	/*
  @@ -2920,15 +2926,14 @@
            * /'s in a row.  This happens under windows when the document
            * root ends with a /
            */
  -        if ((conf->ap_document_root[strlen(conf->ap_document_root)-1] == '/')
  -	    && (*(r->uri) == '/')) {
  -	    r->filename = apr_pstrcat(r->pool, conf->ap_document_root, r->uri+1,
  -				     NULL);
  -	}
  -	else {
  -	    r->filename = apr_pstrcat(r->pool, conf->ap_document_root, r->uri,
  -				     NULL);
  -	}
  +        if (apr_filepath_merge(r->filename, conf->ap_document_root,
  +                               r->uri + (*(r->uri) == '/') ? 1 : 0, 
  +                               APR_FILEPATH_TRUENAME 
  +                             | APR_SECUREROOT_TEST, r->pool)
  +                    != APR_SUCCESS) {
  +            return HTTP_FORBIDDEN;
  +        }
  +        r->canonical_filename == r->filename;
       }
   
       return OK;
  
  
  

Mime
View raw message