httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dirk.vanGulik" <Dirk.vanGu...@jrc.it>
Subject Re: bad perms on .htaccess can result in access problems (1.1b2)
Date Wed, 01 May 1996 09:18:33 GMT

> Thanks for the info and patch. It'll be considered for 1.1
> 
> regards,
> rob.


I'd vote +++++++++1 for this one! That is a trap far to easily fall in.

Excelent !

Dw.

 
> >Apache 1.1b2 and earlier
> >Any OS
> >
> >A co-worker recently noticed (the hard way) that it is important to be
> >careful when setting up an access control file.  She restricted access
> >to a directory so that it was only internally visible, then checked
> >that she could access it internally, and announced it.  I was off-site,
> >but I got her mail and tried to access it anyway.  To my surprise, I
> >succeeded.
> >
> >The problem was that the server couldn't read her .htaccess file due to
> >permission problems.  It just decided to serve the pages, as it had no
> >idea that it should do anything else.  This seems like a bad idea --
> >what if the permissions on the file were accidently changed?  This
> >could result in all sorts of weirdness, like returning the source for a
> >cgi script rather than executing it, etc.
> >
> >I realize that this is a problem with every server out there and that
> >folks should test their pages after making changes.  I just have to
> >believe that fixing this would make it tougher to get bitten by a
> >mistake that it is pretty easy to make.
> >
> >Anyway, here's my fix for 1.1b.  Rather than check to see if the errno
> >is EACCESS, I check that it isn't ENOENT.  This means that it'll catch
> >all sorts of errors that come about through resource exhaustion and
> >we won't wind up with weird behavior under high load.  I also patched
> >alloc.c to ensure that we still get the right errno if any system calls
> >are made in unblock_alarms() -- it looked like this was necessary.
> >
> >I've tested this (briefly) under HP-UX 9.05 -- if I flubbed it,
> >please let me know...
> >
> >Thanks!
> >
> >Kevin
> >
> >Kevin Lahey                  | Network Engineer, LAN Group
> >Sterling Software            | NAS Systems Division
> >NASA Ames Research Center    | Phone: (415) 604-4334 
> >Mail Stop 258-6              | 
> >Moffett Field, CA 94035-1000 | email: kml@nas.nasa.gov
> >
> >
> >*** http_config.c.orig	Tue Apr 30 11:42:04 1996
> >--- http_config.c	Tue Apr 30 11:44:21 1996
> >***************
> >*** 610,617 ****
> >  	}
> >  	
> >  	*result = dc;
> >!     } else
> >  	dc = NULL;
> >  
> >  /* cache it */
> >      new = palloc(r->pool, sizeof(struct htaccess_result));
> >--- 610,625 ----
> >  	}
> >  	
> >  	*result = dc;
> >!     } else {
> >!         /* if we couldn't open the file, but it was there, complain */
> >! 
> >!         if (errno != ENOENT) {
> >!             log_reason ("Couldn't open file", filename, r);
> >!             return SERVER_ERROR;
> >!         }
> >! 
> >  	dc = NULL;
> >+     }
> >  
> >  /* cache it */
> >      new = palloc(r->pool, sizeof(struct htaccess_result));
> >
> >
> >
> >*** alloc.c.orig	Tue Apr 30 14:36:47 1996
> >--- alloc.c	Tue Apr 30 14:37:55 1996
> >***************
> >*** 719,729 ****
> >--- 719,732 ----
> >  FILE *pfopen(struct pool *a, char *name, char *mode)
> >  {
> >    FILE *fd;
> >+   int tmp_errno;
> >  
> >    block_alarms();
> >    fd = fopen(name, mode);
> >+   tmp_errno = errno;
> >    if (fd != NULL) note_cleanups_for_file (a, fd);
> >    unblock_alarms();
> >+   errno = tmp_errno;
> >    return fd;
> >  }
> >  
> >***************
> >*** 730,741 ****
> >--- 733,747 ----
> >  FILE *pfdopen(struct pool *a,int fd,char *mode)
> >  {
> >    FILE *f;
> >+   int tmp_errno;
> >  
> >    block_alarms();
> >    f=fdopen(fd,mode);
> >+   tmp_errno = errno;
> >    if(f != NULL)
> >      note_cleanups_for_file(a,f);
> >    unblock_alarms();
> >+   errno = tmp_errno;
> >    return f;
> >  }
> >  
> >
> >
> >
> 
> 
> -- 
> Rob Hartill (robh@imdb.com)
> The Internet Movie Database (IMDb)  http://www.imdb.com/
>            ...more movie info than you can poke a stick at.
> 


Mime
View raw message