httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (Robert S. Thau)
Subject Re: double slashes (was Re: WWW Form Bug Report: "Security bug involving ScriptAliased directories" on Linux)
Date Fri, 03 Nov 1995 19:26:54 GMT
Unfotunately, David's patch *does* break something, to wit, the
following entry from my access restrictions:

  <Directory /com/web/docs/xperimental/info-gateway/abs>
  <Limit GET>
  order deny,allow
  deny from all
  allow from 128.52

What's going on here is that info-gateway is a CGI script, and the
<Directory> is restricting access to invocations of it with certain
PATH_INFO.  With David's patch, the restriction is ineffective, and
access to these paths is suddenly unrestricted.

This sort of thing may look a little peculiar, but it worked with NCSA
1.3, it worked with all prior Apache releases, and I don't see any
reason to break it now.

I am appending a yet *simpler* patch, which restricts translated filenames
with "//", but does allow the above to keep working.  Note that mine logs
such accesses in the error log (and returns FORBIDDEN rather than NOT_FOUND);
hopefully these will make it easier to diagnose further unintended consequen-
ces (for which I will be scanning my error log).

However, I am increasingly convinced that this simply isn't worth "fixing"
--- the problem only arises with certain oddball configurations which 
people can simply be told to avoid, and *any* attempt to fix it seems to
cause problems at least as severe.

Anyway, the *third* patch in the series (clean against 0.8.just-about-any):

***	Fri Nov  3 13:46:04 1995
--- http_request.c	Fri Nov  3 14:10:18 1995
*** 205,210 ****
--- 205,216 ----
      no2slash (test_filename);
      num_dirs = count_dirs(test_filename);
      get_path_info (r);
+     if (strstr (r->filename, "//")) {
+ 	log_reason ("// in translated filename --- probable alias violation",
+ 		    r->filename, r);
+ 	return FORBIDDEN;
+     }
      if (S_ISDIR (r->finfo.st_mode)) ++num_dirs;

View raw message