httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (Rodent of Unusual Size)
Subject Re: suexec/269: Server-side include exec cmd with suEXEC bug (fwd)
Date Mon, 07 Apr 1997 13:15:30 GMT
>From the fingers of Randy Terbush flowed the following:
>What do you suggest Marc. Should we just check cmd[0] == '/'?

    What is the desired behaviour?  To only allow invocation of scripts
    from the `current' directory or below, yes?  If so, the above isn't
    good enough; what about use of "../"?  And (I haven't looked at the
    code) what about symlinks?

    If symlinks are already covered, then I think checking for an
    initial "/" or "../", or "/../" anywhere in the string, would be an
    improvement.  (Note that I listed those deliberately, since
    "foo../bar.cgi" would be a valid script name.)  I'm not sure it
    covers enough, but I don't have time to give it Serious Thought(tm)
    right now..

    #ken    :-)}

View raw message