httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r..@ai.mit.edu (Robert S. Thau)
Subject Re: Report of bugs in httpd 1.4.2 (INFO#95.26894) (fwd)
Date Mon, 06 Nov 1995 16:11:20 GMT
Some comments:

>       o  The module no2slash() in util.c replaces two consecutive
>       slashes by a single one. It should recognize any number of
>       consecutive slashes.

This is a real bug, and ought to be fixed.

>       o  The module no2slash() in util.c should also recognize
>       and replace the ``/./'' ``./'' ``/.'' constructs.

IMHO, this would be better done in getparents(), but it ought to be done.

>       o  The module getparents() in util.c should call no2slash()
>       before proceeding.

I don't believe this is necessary --- the two fixes above are sufficient
to blunt all the attacks given in the CERT report.

>       o  The module evaluate_access() in http_access.c does an
>       lstat() on a link and another lstat() on the resulting file
>       to compare their owners. It should do a stat() on the
>       resulting file instead. It also does not check whether the
>       lstat() fails or succeeds.

This fix was made long ago in Shambhala, but NCSA might want to look
at it...

rst

Mime
View raw message