httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From d...@ast.cam.ac.uk (David Robinson)
Subject Re: double slashes (was Re: WWW Form Bug Report: "Security bug involving ScriptAliased directories" on Linux)
Date Tue, 07 Nov 1995 12:21:00 GMT
Ok, so how about the following patch; it fixes the following features of
Apache (that are mostly present in NCSA httpd)

* that multiple slashes in requests are treated as single slashes, except
  in AddDescription, Alias, Redirect, ScriptAlias, UserDir

* that relative links in the document are unlikely to work

* that parsed files can include the wrong document

* that three or more slashes can defeat Directory tags

It does this by issuing a client redirect to the URL with the first occurrence
of "//" replaced by "/". This preserves the ability of the user to
write Alias /adir/perverse//link /some/dir
and still have http://host/adir///perverse//link match this alias.
It also preserves // in CGI script PATH_INFO data.

Although this patch fixes the problem of 3 or more consecutive slashes,
no2slash() should probably still be fixed in case the web admin puts
multiple slashes in configuration directives. (e.g. Alias /dir /web///dir)

The problem with /./ in a path could be fixed in a similar way.

 David.

  Subject: Fix problems with //
  Affects: mod_mime.c
  ChangeLog: Change AddType, AddEncoding and AddLanguage so that they take
             multiple file extensions on a single command.

*** http_request.c.orig	Tue Oct 10 23:06:36 1995
--- http_request.c	Tue Nov  7 12:10:12 1995
***************
*** 205,210 ****
--- 205,223 ----
      no2slash (test_filename);
      num_dirs = count_dirs(test_filename);
      get_path_info (r);
+ 
+     if (strstr (r->filename, "//")) {
+ 	char *t = strstr(r->uri, "//"), *ifile;
+ 	if (t != NULL) /* // came from client */
+ 	{
+ 	    *t = '\0';
+ 	    ifile = pstrcat (r->pool, r->uri, t+1, NULL);
+ 	    *t = '/';
+ 	    table_set (r->headers_out, "Location",
+ 		       construct_url(r->pool, ifile, r->server));
+ 	    return REDIRECT;
+ 	}
+     }
      
      if (S_ISDIR (r->finfo.st_mode)) ++num_dirs;
  

Mime
View raw message