httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wr...@apache.org
Subject cvs commit: httpd-2.0/modules/filters mod_include.c
Date Mon, 10 Sep 2001 03:58:27 GMT
wrowe       01/09/09 20:58:27

  Modified:    modules/filters mod_include.c
  Log:
    apr_filepath_merge includes APR_FILEPATH_SECURE_ROOT tests that can
    easily (and cross-platform, safely) assure a path is within a given root.
  
  Revision  Changes    Path
  1.146     +7 -3      httpd-2.0/modules/filters/mod_include.c
  
  Index: mod_include.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/filters/mod_include.c,v
  retrieving revision 1.145
  retrieving revision 1.146
  diff -u -r1.145 -r1.146
  --- mod_include.c	2001/09/07 05:52:29	1.145
  +++ mod_include.c	2001/09/10 03:58:26	1.146
  @@ -958,7 +958,7 @@
   /* ensure that path is relative, and does not contain ".." elements
    * ensentially ensure that it does not match the regex:
    * (^/|(^|/)\.\.(/|$))
  - * XXX: Needs to become apr_is_path_relative() test
  + * XXX: Simply replace with apr_filepath_merge                    
    */
   static int is_only_below(const char *path)
   {
  @@ -1024,7 +1024,9 @@
                   ap_ssi_parse_string(r, tag_val, parsed_string, 
                                       sizeof(parsed_string), 0);
                   if (tag[0] == 'f') {
  -                    /* be safe; only files in this directory or below allowed */
  +                    /* XXX: Port to apr_filepath_merge
  +                     * be safe; only files in this directory or below allowed 
  +                     */
                       if (!is_only_below(parsed_string)) {
                           error_fmt = "unable to include file \"%s\" "
                                       "in parsed file %s";
  @@ -1298,7 +1300,9 @@
       apr_status_t rv = APR_SUCCESS;
   
       if (!strcmp(tag, "file")) {
  -        /* be safe; only files in this directory or below allowed */
  +        /* XXX: Port to apr_filepath_merge
  +         * be safe; only files in this directory or below allowed 
  +         */
           if (!is_only_below(tag_val)) {
               error_fmt = "unable to access file \"%s\" "
                           "in parsed file %s";
  
  
  

Mime
View raw message