httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <r...@imdb.com>
Subject Re: bad perms on .htaccess can result in access problems (1.1b2)
Date Tue, 30 Apr 1996 22:52:57 GMT

Thanks for the info and patch. It'll be considered for 1.1

regards,
rob.

>Apache 1.1b2 and earlier
>Any OS
>
>A co-worker recently noticed (the hard way) that it is important to be
>careful when setting up an access control file.  She restricted access
>to a directory so that it was only internally visible, then checked
>that she could access it internally, and announced it.  I was off-site,
>but I got her mail and tried to access it anyway.  To my surprise, I
>succeeded.
>
>The problem was that the server couldn't read her .htaccess file due to
>permission problems.  It just decided to serve the pages, as it had no
>idea that it should do anything else.  This seems like a bad idea --
>what if the permissions on the file were accidently changed?  This
>could result in all sorts of weirdness, like returning the source for a
>cgi script rather than executing it, etc.
>
>I realize that this is a problem with every server out there and that
>folks should test their pages after making changes.  I just have to
>believe that fixing this would make it tougher to get bitten by a
>mistake that it is pretty easy to make.
>
>Anyway, here's my fix for 1.1b.  Rather than check to see if the errno
>is EACCESS, I check that it isn't ENOENT.  This means that it'll catch
>all sorts of errors that come about through resource exhaustion and
>we won't wind up with weird behavior under high load.  I also patched
>alloc.c to ensure that we still get the right errno if any system calls
>are made in unblock_alarms() -- it looked like this was necessary.
>
>I've tested this (briefly) under HP-UX 9.05 -- if I flubbed it,
>please let me know...
>
>Thanks!
>
>Kevin
>
>Kevin Lahey                  | Network Engineer, LAN Group
>Sterling Software            | NAS Systems Division
>NASA Ames Research Center    | Phone: (415) 604-4334 
>Mail Stop 258-6              | 
>Moffett Field, CA 94035-1000 | email: kml@nas.nasa.gov
>
>
>*** http_config.c.orig	Tue Apr 30 11:42:04 1996
>--- http_config.c	Tue Apr 30 11:44:21 1996
>***************
>*** 610,617 ****
>  	}
>  	
>  	*result = dc;
>!     } else
>  	dc = NULL;
>  
>  /* cache it */
>      new = palloc(r->pool, sizeof(struct htaccess_result));
>--- 610,625 ----
>  	}
>  	
>  	*result = dc;
>!     } else {
>!         /* if we couldn't open the file, but it was there, complain */
>! 
>!         if (errno != ENOENT) {
>!             log_reason ("Couldn't open file", filename, r);
>!             return SERVER_ERROR;
>!         }
>! 
>  	dc = NULL;
>+     }
>  
>  /* cache it */
>      new = palloc(r->pool, sizeof(struct htaccess_result));
>
>
>
>*** alloc.c.orig	Tue Apr 30 14:36:47 1996
>--- alloc.c	Tue Apr 30 14:37:55 1996
>***************
>*** 719,729 ****
>--- 719,732 ----
>  FILE *pfopen(struct pool *a, char *name, char *mode)
>  {
>    FILE *fd;
>+   int tmp_errno;
>  
>    block_alarms();
>    fd = fopen(name, mode);
>+   tmp_errno = errno;
>    if (fd != NULL) note_cleanups_for_file (a, fd);
>    unblock_alarms();
>+   errno = tmp_errno;
>    return fd;
>  }
>  
>***************
>*** 730,741 ****
>--- 733,747 ----
>  FILE *pfdopen(struct pool *a,int fd,char *mode)
>  {
>    FILE *f;
>+   int tmp_errno;
>  
>    block_alarms();
>    f=fdopen(fd,mode);
>+   tmp_errno = errno;
>    if(f != NULL)
>      note_cleanups_for_file(a,f);
>    unblock_alarms();
>+   errno = tmp_errno;
>    return f;
>  }
>  
>
>
>


-- 
Rob Hartill (robh@imdb.com)
The Internet Movie Database (IMDb)  http://www.imdb.com/
           ...more movie info than you can poke a stick at.

Mime
View raw message