> Thanks for the info and patch. It'll be considered for 1.1
>
> regards,
> rob.
I'd vote +++++++++1 for this one! That is a trap far to easily fall in.
Excelent !
Dw.
> >Apache 1.1b2 and earlier
> >Any OS
> >
> >A co-worker recently noticed (the hard way) that it is important to be
> >careful when setting up an access control file. She restricted access
> >to a directory so that it was only internally visible, then checked
> >that she could access it internally, and announced it. I was off-site,
> >but I got her mail and tried to access it anyway. To my surprise, I
> >succeeded.
> >
> >The problem was that the server couldn't read her .htaccess file due to
> >permission problems. It just decided to serve the pages, as it had no
> >idea that it should do anything else. This seems like a bad idea --
> >what if the permissions on the file were accidently changed? This
> >could result in all sorts of weirdness, like returning the source for a
> >cgi script rather than executing it, etc.
> >
> >I realize that this is a problem with every server out there and that
> >folks should test their pages after making changes. I just have to
> >believe that fixing this would make it tougher to get bitten by a
> >mistake that it is pretty easy to make.
> >
> >Anyway, here's my fix for 1.1b. Rather than check to see if the errno
> >is EACCESS, I check that it isn't ENOENT. This means that it'll catch
> >all sorts of errors that come about through resource exhaustion and
> >we won't wind up with weird behavior under high load. I also patched
> >alloc.c to ensure that we still get the right errno if any system calls
> >are made in unblock_alarms() -- it looked like this was necessary.
> >
> >I've tested this (briefly) under HP-UX 9.05 -- if I flubbed it,
> >please let me know...
> >
> >Thanks!
> >
> >Kevin
> >
> >Kevin Lahey | Network Engineer, LAN Group
> >Sterling Software | NAS Systems Division
> >NASA Ames Research Center | Phone: (415) 604-4334
> >Mail Stop 258-6 |
> >Moffett Field, CA 94035-1000 | email: kml@nas.nasa.gov
> >
> >
> >*** http_config.c.orig Tue Apr 30 11:42:04 1996
> >--- http_config.c Tue Apr 30 11:44:21 1996
> >***************
> >*** 610,617 ****
> > }
> >
> > *result = dc;
> >! } else
> > dc = NULL;
> >
> > /* cache it */
> > new = palloc(r->pool, sizeof(struct htaccess_result));
> >--- 610,625 ----
> > }
> >
> > *result = dc;
> >! } else {
> >! /* if we couldn't open the file, but it was there, complain */
> >!
> >! if (errno != ENOENT) {
> >! log_reason ("Couldn't open file", filename, r);
> >! return SERVER_ERROR;
> >! }
> >!
> > dc = NULL;
> >+ }
> >
> > /* cache it */
> > new = palloc(r->pool, sizeof(struct htaccess_result));
> >
> >
> >
> >*** alloc.c.orig Tue Apr 30 14:36:47 1996
> >--- alloc.c Tue Apr 30 14:37:55 1996
> >***************
> >*** 719,729 ****
> >--- 719,732 ----
> > FILE *pfopen(struct pool *a, char *name, char *mode)
> > {
> > FILE *fd;
> >+ int tmp_errno;
> >
> > block_alarms();
> > fd = fopen(name, mode);
> >+ tmp_errno = errno;
> > if (fd != NULL) note_cleanups_for_file (a, fd);
> > unblock_alarms();
> >+ errno = tmp_errno;
> > return fd;
> > }
> >
> >***************
> >*** 730,741 ****
> >--- 733,747 ----
> > FILE *pfdopen(struct pool *a,int fd,char *mode)
> > {
> > FILE *f;
> >+ int tmp_errno;
> >
> > block_alarms();
> > f=fdopen(fd,mode);
> >+ tmp_errno = errno;
> > if(f != NULL)
> > note_cleanups_for_file(a,f);
> > unblock_alarms();
> >+ errno = tmp_errno;
> > return f;
> > }
> >
> >
> >����
> >����
>
>
> --
> Rob Hartill (robh@imdb.com)
> The Internet Movie Database (IMDb) http://www.imdb.com/
> ...more movie info than you can poke a stick at.
>
|