httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wr...@apache.org
Subject cvs commit: httpd-2.0/server core.c
Date Tue, 06 Aug 2002 16:27:37 GMT
wrowe       2002/08/06 09:27:37

  Modified:    .        CHANGES
               server   core.c
  Log:
    This was never a 'vulnerability'... the APR_FILEPATH_SECUREROOT flag
    passed to apr_filepath_merge refused to merge any rooted 'addpath'.
    However, that isn't the traditional 1.3 behavior, so fly past any
    leading '/'s on the way to merging the uri to the DocumentRoot.
  
  PR: 10946
  
  Revision  Changes    Path
  1.879     +3 -0      httpd-2.0/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/CHANGES,v
  retrieving revision 1.878
  retrieving revision 1.879
  diff -u -r1.878 -r1.879
  --- CHANGES	6 Aug 2002 06:54:50 -0000	1.878
  +++ CHANGES	6 Aug 2002 16:27:36 -0000	1.879
  @@ -1,5 +1,8 @@
   Changes with Apache 2.0.40
   
  +  *) Accept multiple leading /'s for requests within the DocumentRoot.
  +     PR 10946  [William Rowe]
  +
     *) Solved the reports of .pdf byterange failures on Win32 alone.
        APR's sendfile for the win32 platform collapses header and trailer
        buffers into a single buffer.  However, we destroyed the pointers
  
  
  
  1.197     +18 -5     httpd-2.0/server/core.c
  
  Index: core.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/server/core.c,v
  retrieving revision 1.196
  retrieving revision 1.197
  diff -u -r1.196 -r1.197
  --- core.c	4 Aug 2002 15:15:57 -0000	1.196
  +++ core.c	6 Aug 2002 16:27:36 -0000	1.197
  @@ -3076,9 +3076,16 @@
           && !strncmp(r->uri, r->server->path, r->server->pathlen)
           && (r->server->path[r->server->pathlen - 1] == '/'
               || r->uri[r->server->pathlen] == '/'
  -            || r->uri[r->server->pathlen] == '\0')) {
  -        if (apr_filepath_merge(&r->filename, conf->ap_document_root,
  -                               r->uri + r->server->pathlen,
  +            || r->uri[r->server->pathlen] == '\0')) 
  +    {
  +        /* skip all leading /'s (e.g. http://localhost///foo) 
  +         * so we are looking at only the relative path.
  +         */
  +        char *path = r->uri + r->server->pathlen;
  +        while (*path == '/') {
  +            ++*path;
  +        }
  +        if (apr_filepath_merge(&r->filename, conf->ap_document_root, path,
                                  APR_FILEPATH_TRUENAME
                                | APR_FILEPATH_SECUREROOT, r->pool)
                       != APR_SUCCESS) {
  @@ -3092,8 +3099,14 @@
            * /'s in a row.  This happens under windows when the document
            * root ends with a /
            */
  -        if (apr_filepath_merge(&r->filename, conf->ap_document_root,
  -                               r->uri + ((*(r->uri) == '/') ? 1 : 0),
  +        /* skip all leading /'s (e.g. http://localhost///foo) 
  +         * so we are looking at only the relative path.
  +         */
  +        char *path = r->uri;
  +        while (*path == '/') {
  +            ++*path;
  +        }
  +        if (apr_filepath_merge(&r->filename, conf->ap_document_root, path,
                                  APR_FILEPATH_TRUENAME
                                | APR_FILEPATH_SECUREROOT, r->pool)
                       != APR_SUCCESS) {
  
  
  

Mime
View raw message