httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From d...@ast.cam.ac.uk (David Robinson)
Subject Re: Apache incompatibility
Date Thu, 19 Oct 1995 12:35:00 GMT
I've uploaded a patch for this:

31_include.0.8.15.patch
-----------------------

Subject: SSI #include file="/foo/bar" shouldn't work
Affects: mod_include.c
ChangeLog: Disallow includes of files not in the same directory as the
           .shtml file.

*** mod_include.c.orig	Tue Oct 10 23:00:31 1995
--- mod_include.c	Thu Oct 19 12:24:16 1995
***************
*** 360,372 ****
          if(!(tag_val = get_tag(r->pool, in, tag, MAX_STRING_LEN, 1)))
              return 1;
          if(!strcmp(tag,"file") || !strcmp (tag, "virtual")) {
! 	    request_rec *rr =
! 	        (tag[0] == 'f')?
! 		    sub_req_lookup_file (tag_val, r) :
! 		    sub_req_lookup_uri (tag_val, r);
  	    char *error_fmt = NULL;
  	    
! 	    if (rr->status != 200)
  	        error_fmt = "unable to include %s in parsed file %s";
  
  	    if (!error_fmt && noexec && rr->content_type
--- 360,378 ----
          if(!(tag_val = get_tag(r->pool, in, tag, MAX_STRING_LEN, 1)))
              return 1;
          if(!strcmp(tag,"file") || !strcmp (tag, "virtual")) {
! 	    request_rec *rr=NULL;
  	    char *error_fmt = NULL;
+ 
+ 	    if (tag[0] == 'f')
+ 	    { /* be safe; only files in this directory allowed */
+ 		if (strchr(tag_val, '/') != NULL)
+ 		    error_fmt = "unable to include file %s in parsed file %s";
+ 		else
+ 		    rr = sub_req_lookup_file (tag_val, r);
+ 	    } else
+ 		rr = sub_req_lookup_uri (tag_val, r);
  	    
! 	    if (!error_fmt && rr->status != 200)
  	        error_fmt = "unable to include %s in parsed file %s";
  
  	    if (!error_fmt && noexec && rr->content_type
***************
*** 383,389 ****
                  rprintf(r,"%s",error);
              }            
  
! 	    destroy_sub_req (rr);
          } 
          else if(!strcmp(tag,"done"))
              return 0;
--- 389,395 ----
                  rprintf(r,"%s",error);
              }            
  
! 	    if (rr != NULL) destroy_sub_req (rr);
          } 
          else if(!strcmp(tag,"done"))
              return 0;


Mime
View raw message