httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sameer <sam...@c2.net>
Subject Re: security holes and other fun stuff
Date Mon, 15 Jul 1996 23:38:45 GMT
> 
> To be honest, I can't see how your patch does *anything* different than
> the current code; near as I can tell, it'll do exactly the same thing,
> except it will cause a seg fault on some systems. Maybe I missed
> something.

OK, I'll go into my reasoning...

the client sends (connecting to port 80):

Host: www.anonymizer.com

	check_hostalias sets "port" to 0:

void check_hostalias (request_rec *r) {
  char *host = getword(r->pool, &r->hostname, ':');     /* Get rid of port */
  int port = (*r->hostname) ? atoi(r->hostname) : 0;
  server_rec *s;

  if (port && (port != r->server->port))
    return;

/*	r->server->port is 80. r->server->next->port is 443.
 *	r->server->server_hostname is www.anonymizer.com
 *	r->server->next->server_hostname is www.anonymizer.com
 *      port is 0
 *      host is www.anonymizer.com
 */

     if ((host[strlen(host)-1]) == '.') {
    host[strlen(host)-1] = '\0';
  }

  r->hostname = host;

  for (s = r->server->next; s; s = s->next) {
    char *names = s->names;
    
    if ((!strcasecmp(host, s->server_hostname)) &&
        (!port || (port == s->port))) {

	/* if host matches r->server->next->server_hostname
         * then the configuration changes to r->server->next 
         */ 


--
You're connecting to port 80, so the configuration needs to stay at
r->server, but actually the configuration got changes to
r->server->next. Looks like a problem to me.

	Perhaps changing

  for (s = r->server->next; s; s = s->next)
to
  for(s = r->server; s; s = s->next)

is the real solution?

-- 
Sameer Parekh					Voice:   510-986-8770
Community ConneXion, Inc.			FAX:     510-986-8777
The Internet Privacy Provider
http://www.c2.net/				sameer@c2.net

Mime
View raw message