httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <ra...@zyzzyva.com>
Subject Apache 1.1.2 is available
Date Sun, 12 Jan 1997 17:25:50 GMT

I've placed copies of the Apache 1.1.2 distribution files in:

http://www.apache.org/dist/
ftp://ftp.apache.org/apache/dist/

I'll be placing copies of the following two patches in:

http://www.apache.org/dist/patches/apply_to_1.1.1/
ftp://ftp.apache.org/apache/dist/patches/apply_to_1.1.1/

as:

directoryindex_security.patch
mod_cookies_security.patch

Can someone else make the necessary changes to the webpages
to reflect this?

Thanks to Marc Slemko for jumping on the DirectoryIndex issue.


*** ../../../../work/apache_1.1.2/src/mod_dir.c	Sat Jan 11 23:32:39 1997
--- mod_dir.c	Sun Jan 12 06:00:27 1997
***************
*** 768,773 ****
--- 768,774 ----
        (dir_config_rec *)get_module_config (r->per_dir_config, &dir_module);
      char *names_ptr = d->index_names ? d->index_names : DEFAULT_INDEX;
      int allow_opts = allow_options (r);
+     int error_notfound = 0;
  
      if (r->uri[0] == '\0' || r->uri[strlen(r->uri)-1] != '/') {
  	char* ifile;
***************
*** 808,816 ****
  	    return OK;
  	}
  
!         destroy_sub_req (rr);
      }
  
      if (r->method_number != M_GET) return NOT_IMPLEMENTED;
      
      /* OK, nothing easy.  Trot out the heavy artillery... */
--- 809,832 ----
  	    return OK;
  	}
  
!        /* If the request returned something other than 404 (or 200),
!         * it means the module encountered some sort of problem. To be
!         * secure, we should return the error, rather than create
!         * along a (possibly unsafe) directory index.
!         *
!         * So we store the error, and if none of the listed files
!         * exist, we return the last error response we got, instead
!         * of a directory listing.
!         */
!        if (rr->status && rr->status != 404 && rr->status != 200)
!            error_notfound = rr->status;
! 
!        destroy_sub_req (rr);
      }
  
+     if (error_notfound)
+        return error_notfound;
+  
      if (r->method_number != M_GET) return NOT_IMPLEMENTED;
      
      /* OK, nothing easy.  Trot out the heavy artillery... */
*** ../../../../work/apache_1.1.2/src/http_request.c	Sat Jan 11 23:32:38 1997
--- http_request.c	Sun Jan 12 06:00:22 1997
***************
*** 1,6 ****
  
  /* ====================================================================
!  * Copyright (c) 1995 The Apache Group.  All rights reserved.
   *
   * Redistribution and use in source and binary forms, with or without
   * modification, are permitted provided that the following conditions
--- 1,6 ----
  
  /* ====================================================================
!  * Copyright (c) 1995-1997 The Apache Group.  All rights reserved.
   *
   * Redistribution and use in source and binary forms, with or without
   * modification, are permitted provided that the following conditions
***************
*** 139,145 ****
  /* Dealing with the file system to get PATH_INFO
   */
  
! void get_path_info(request_rec *r)
  {
      char *cp;
      char *path = r->filename;
--- 139,145 ----
  /* Dealing with the file system to get PATH_INFO
   */
  
! int get_path_info(request_rec *r)
  {
      char *cp;
      char *path = r->filename;
***************
*** 157,163 ****
--- 157,166 ----
  	/* See if the pathname ending here exists... */
        
  	*cp = '\0';
+ 
+ 	errno = 0;
  	rv = stat(path, &r->finfo);
+ 
  	if (cp != end) *cp = '/';
        
  	if (!rv) {
***************
*** 174,182 ****
  	
  	    r->path_info = pstrdup (r->pool, cp);
  	    *cp = '\0';
! 	    return;
  	}
  	else {
  	    last_cp = cp;
  	
  	    while (--cp > path && *cp != '/')
--- 177,192 ----
  	
  	    r->path_info = pstrdup (r->pool, cp);
  	    *cp = '\0';
! 	    return OK;
  	}
+ #if defined(ENOENT)
+ 	else if (errno == ENOENT) {
+ #else
+   #error Your system apparently does not define ENOENT.
+   #error Removal of these lines opens a security hole if protecting
+   #error from directory indexes with DirectoryIndex.
  	else {
+ #endif
  	    last_cp = cp;
  	
  	    while (--cp > path && *cp != '/')
***************
*** 184,191 ****
--- 194,209 ----
  
  	    while (cp > path && cp[-1] == '/')
  		--cp;
+ 	} 
+ #if defined(ENOENT)
+ 	else {
+ 	    log_printf(r->server, "access to %s failed for client; unable to determine if index
file exists (stat() returned unexpected error)", r->filename);
+ 	    return FORBIDDEN;
  	}
+ #endif
      }
+ 
+     return OK;
  }
  
  int directory_walk (request_rec *r)
***************
*** 261,267 ****
  
      no2slash (test_filename);
      num_dirs = count_dirs(test_filename);
!     get_path_info (r);
      
      if (S_ISDIR (r->finfo.st_mode)) ++num_dirs;
  
--- 279,288 ----
  
      no2slash (test_filename);
      num_dirs = count_dirs(test_filename);
!     res = get_path_info (r);
!     if (res != OK) {
! 	return res;
!     }
      
      if (S_ISDIR (r->finfo.st_mode)) ++num_dirs;
  

*** ../../../../work/apache_1.1.2/src/mod_cookies.c	Sat Jan 11 23:32:39 1997
--- mod_cookies.c	Sun Jan 12 06:00:26 1997
***************
*** 1,6 ****
  
  /* ====================================================================
!  * Copyright (c) 1995, 1996 The Apache Group.  All rights reserved.
   *
   * Redistribution and use in source and binary forms, with or without
   * modification, are permitted provided that the following conditions
--- 1,6 ----
  
  /* ====================================================================
!  * Copyright (c) 1995-1997 The Apache Group.  All rights reserved.
   *
   * Redistribution and use in source and binary forms, with or without
   * modification, are permitted provided that the following conditions
***************
*** 119,125 ****
  void make_cookie(request_rec *r)
  {
      struct timeval tv;
!     char new_cookie[100];	/* blurgh */
      char *dot;
      const char *rname = pstrdup(r->pool, 
  				get_remote_host(r->connection, r->per_dir_config,
--- 119,125 ----
  void make_cookie(request_rec *r)
  {
      struct timeval tv;
!     char new_cookie[1024];	/* blurgh */
      char *dot;
      const char *rname = pstrdup(r->pool, 
  				get_remote_host(r->connection, r->per_dir_config,
***************
*** 128,133 ****
--- 128,136 ----
      struct timezone tz = { 0 , 0 };
  
      if ((dot = strchr(rname,'.'))) *dot='\0';	/* First bit of hostname */
+     if (strlen (rname) > 255)
+       rname[256] = 0;
+ 
      gettimeofday(&tv, &tz);
      sprintf(new_cookie,"%s%s%d%ld%d; path=/",
          COOKIE_NAME, rname,




Mime
View raw message