httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Howard Fear <...@pooh.pageplus.com>
Subject Re: Time for 1.2b3 public ?
Date Sun, 22 Dec 1996 07:25:55 GMT
I submitted the following bug fix to no comment a week or so ago.

--
Howard Fear      email1: howard_fear@pageplus.com
                 email2: howard_fear@redcape.com
                 http://www.pageplus.com/~hsf/

To: new-httpd@hyperreal.com
Subject: Re: WWW Form Bug Report: "httpd dumps core in mod_include module" on Solaris 2.x
(fwd) 
In-reply-to: Your message of "Mon, 09 Dec 1996 17:24:46 PST."
             <Pine.GSO.3.95.961209172420.9610W-100000@eat.organic.com> 
Date: Thu, 12 Dec 1996 00:29:04 -0700
From: Howard Fear <hsf@pooh.pageplus.com>

I've patched the following in a somewhat different way.  find_string was
using a null request pointer to inhibit printing during an error.  When
I added the ssi extensions, I added a flag that would inhibit printing
for conditionals.  I modified the code to pass a non-printing flag to
find_string during error processing instead of the null request pointer.

I noticed some strange, to me, things testing this.  I've just finished
setting up a linux system at home, so I was doing a fresh apache install.
I'm not sure if the following reflect some lack of understanding on my
part, changes with 1.2, or problems I should investigate.

1) Setting Options IncludesNOEXEC for the servers docs directory in
srm.conf did not prevent execs in ~user directories. 

2) http://localhost/dir_without_trailing_slash was redirected to
parts unknown.  I have mod_rewrite compiled in but no rewriting
rules.  Does this now require one?

Also, did anyone have any comments on my response to parsing
query_string in mod_include?

Thanks,

--
Howard Fear      email1: howard_fear@pageplus.com
                 email2: howard_fear@redcape.com
                 http://www.pageplus.com/~hsf/

> From: Andrew Vasilyev <andy@kremvax.demos.su>
> There is one problem: when I saw those cores in October on our _busy_
> server with several dozens virtual servers (and administrators :)),
> I've checked them and found the place. But now it is hard to
> put experiments on the working facility, and in usual conditions I
> failed to emulate this bug, but you can see that find_string() is called
> with NULL as the last argument 2 times (in send_parsed_content()) both
> for error conditions. And then we see r->pool in find_string(), where
> r == NULL!  But when you try to access memory 0x0+several_bytes under
> Solaris, > system kills you :((

>Submitter: andy@demos.net
>Operating system: Solaris 2.x, version: 
>Version of Apache Used: 1.1.1 and 1.2b1
>Extra Modules used: mod_status
>URL exhibiting problem: 
>
>Symptoms:
>--
> I've already reported this problem in 1.1.1 when 
>pfclose() is called with invalid argument, but the
>bug is still here :(((
>
>Here is a patch:
>
>*** mod_include.c.orig  Wed Dec  4 18:59:38 1996
>--- mod_include.c       Wed Dec  4 19:01:14 1996
>***************
>*** 122,128 ****
>   { \
>     int i = getc(f); \
>     if(feof(f) || ferror(f) || (i == -1)) { \
>!         pfclose(p,f); \
>          return r; \
>     } \
>     c = (char)i; \
>--- 122,128 ----
>   { \
>     int i = getc(f); \
>     if(feof(f) || ferror(f) || (i == -1)) { \
>!       if(p) pfclose(p, f); else fclose(f); \
>          return r; \
>     } \
>     c = (char)i; \
>***************
>*** 140,146 ****
>  
>      p=0;
>      while(1) {
>!         GET_CHAR(in,c,1,r->pool);
>          if(c == str[p]) {
>              if((++p) == l)
>                  return 0;
>--- 140,146 ----
>  
>      p=0;
>      while(1) {
>!       GET_CHAR(in,c,1,r?r->pool:NULL);
>          if(c == str[p]) {
>              if((++p) == l)
>                  return 0;

Revised Patch:

*** mod_include.c.dist	Wed Dec 11 21:16:45 1996
--- mod_include.c	Wed Dec 11 21:24:34 1996
***************
*** 141,153 ****
                  return 0;
          }
          else {
!             if(r) {
!                 if(p) {
!                     for(x=0;x<p;x++) {
!                         if (printing) rputc(str[x],r);
!                     }
                  }
!                 if (printing) rputc(c,r);
              }
              p=0;
          }
--- 141,151 ----
                  return 0;
          }
          else {
!             if (printing) {
!                 for(x=0;x<p;x++) {
!                     rputc(str[x],r);
                  }
!                 rputc(c,r);
              }
              p=0;
          }
***************
*** 1590,1596 ****
                      log_printf(r->server,"httpd: exec used but not allowed in %s",
                              r->filename);
                      if (printing) rputs(error, r);
!                     ret = find_string(f,ENDING_SEQUENCE,NULL,printing);
                  } else 
                      ret=handle_exec(f, r, error);
              } else if(!strcmp(directive,"config"))
--- 1588,1594 ----
                      log_printf(r->server,"httpd: exec used but not allowed in %s",
                              r->filename);
                      if (printing) rputs(error, r);
!                     ret = find_string(f,ENDING_SEQUENCE,r,0);
                  } else 
                      ret=handle_exec(f, r, error);
              } else if(!strcmp(directive,"config"))
***************
*** 1612,1618 ****
                          "httpd: unknown directive %s in parsed doc %s",
                          directive,r->filename);
                  if (printing) rputs(error, r);
!                 ret=find_string(f,ENDING_SEQUENCE,NULL,printing);
              }
              if(ret) {
                  log_printf(r->server,"httpd: premature EOF in parsed file %s",
--- 1610,1616 ----
                          "httpd: unknown directive %s in parsed doc %s",
                          directive,r->filename);
                  if (printing) rputs(error, r);
!                 ret=find_string(f,ENDING_SEQUENCE,r,0);
              }
              if(ret) {
                  log_printf(r->server,"httpd: premature EOF in parsed file %s",


Mime
View raw message