httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r..@ai.mit.edu (Robert S. Thau)
Subject Re: WWW Form Bug Report: "Security bug involving ScriptAliased directories" on Linux
Date Thu, 02 Nov 1995 17:21:09 GMT
The bug here seems to be that the Alias command and its (effective) variants
can be foxed by giving them URIs with doubled slashes, which then fail to
match.  In particular, if the target directory of a ScriptAlias command is
actually, say, the cgi-bin subdirectory of DocumentRoot, this can be used
to disable the effects of ScriptAlias.  Here is a patch against *0.8.16*
which appears to cure the problem:

*** mod_alias.c~	Fri Oct 27 18:03:13 1995
--- mod_alias.c	Thu Nov  2 12:05:53 1995
***************
*** 134,139 ****
--- 134,173 ----
  { NULL }
  };
  
+ int alias_matches (char *uri, char *alias_fakename)
+ {
+     char *end_fakename = alias_fakename + strlen (alias_fakename);
+     char *aliasp = alias_fakename, *urip = uri;
+ 
+     while (aliasp < end_fakename) {
+ 	if (*aliasp == '/') {
+ 	    /* any number of '/' in the alias matches any number in
+ 	     * the supplied URI, but there must be at least one...
+ 	     */
+ 	    if (*urip != '/') return 0;
+ 	    
+ 	    while (*aliasp == '/') ++ aliasp;
+ 	    while (*urip == '/') ++ urip;
+ 	}
+ 	else {
+ 	    /* Other characters are compared literally */
+ 	    if (*urip++ != *aliasp++) return 0;
+ 	}
+     }
+ 
+     /* Check last alias path component matched all the way */
+ 
+     if (aliasp[-1] != '/' && *urip != '\0' && *urip != '/')
+ 	return 0;
+ 
+     /* Return number of characters from URI which matched (may be
+      * greater than length of alias, since we may have matched
+      * doubled slashes)
+      */
+ 
+     return urip - uri;
+ }
+ 
  char *try_alias_list (request_rec *r, array_header *aliases, int doesc)
  {
      alias_entry *entries = (alias_entry *)aliases->elts;
***************
*** 141,158 ****
      
      for (i = 0; i < aliases->nelts; ++i) {
          alias_entry *p = &entries[i];
!         int l = strlen(p->fake);
  
!         if(!strncmp(r->uri, p->fake, l)
! 	   && (p->fake[l-1] == '/' || l == strlen(r->uri) || r->uri[l] == '/'))
! 	{
  	    if (p->forced_type)
  		table_set (r->notes, "alias-forced-type", p->forced_type);
  			   
! 	    if (doesc)
! 	    {
  		char *escurl;
! /* would like to use os_escape_path here, but can't */
  		escurl = escape_uri(r->pool, r->uri + l);
  		return pstrcat(r->pool, p->real, escurl, NULL);
  	    } else
--- 175,189 ----
      
      for (i = 0; i < aliases->nelts; ++i) {
          alias_entry *p = &entries[i];
!         int l = alias_matches (r->uri, p->fake);
  
!         if (l > 0) {
  	    if (p->forced_type)
  		table_set (r->notes, "alias-forced-type", p->forced_type);
  			   
! 	    if (doesc) {
  		char *escurl;
! 		/* would like to use os_escape_path here, but can't */
  		escurl = escape_uri(r->pool, r->uri + l);
  		return pstrcat(r->pool, p->real, escurl, NULL);
  	    } else

Mime
View raw message