httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexei Kosut <ako...@nueva.pvt.k12.ca.us>
Subject Re: Alt patch II
Date Tue, 14 Jan 1997 02:32:17 GMT
On Mon, 13 Jan 1997, Jim Jagielski wrote:

> Ben Laurie wrote:
> > 
> > Index: http_request.c
> > ===================================================================
> > RCS file: /export/home/cvs/apache/src/http_request.c,v
> > retrieving revision 1.11
> > diff -c -r1.11 http_request.c
> 
> I +1 these...
> 
> Since this is path-related, I can't see any real need not to do
> so. Of course, we could also expand this to reduce '/./' -> '/'

This, and ../ expansion is done in getparents(), long before the stat
code gets ahold of it. Otherwise, you can get
http://www/../../../etc/passwd and other wonderful URLs.

One problem I have with the code: it looks like (and I admit I haven't
actually tried it) it messes with the path_info creation (which, if
we'll recall, is the purpose of the function get_path_info) if there
are double-slashes in the path info - which we need to preserve (which
is why we don't kill multiple slashes in getparents). Because cp and
end are compared to find r->path_info, if we change end, they won't
match, and it looks like you'll end up with r->path_info getting stuff
that really doesn't make sense. At least, that's how I read it. I
don't have the time unfortunately to try it right now.

As near as I can tell, you have to collapse the slashes each time,
inside the while loop, directly before calling stat.

As I said before, we probably should call no2slash() on r->filename
after we establish r->path_info. Although UNIX doesn't really care
about multiple slashes, other OSes do. Example: on the Mac, the :
character is basically equivilent to the / character. However,
:one:two::three is equivilent to :one:two, not :one:two:three (as it
would be with Unix). Admittedly, Apache does not run on the MacOS, but
I feel I should point that out. Additionally, if we caled no2slash()
here, we could remove the instances of it in directory_walk and
files_walk, so you'd actually save a call to no2slash.

One other note: how is collapse_path() substantially different than
the following?

char *end = pstrdup(r->pool, r->filename);
no2slash(end);

-- 
________________________________________________________________________
Alexei Kosut <akosut@nueva.pvt.k12.ca.us>      The Apache HTTP Server
URL: http://www.nueva.pvt.k12.ca.us/~akosut/   http://www.apache.org/



Mime
View raw message