httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From c...@decus.org (Rodent of Unusual Size)
Subject [PATCH] for PR#269 (et alia): '/' in suexec script invocations
Date Wed, 23 Apr 1997 15:11:50 GMT
>From the fingers of Marc Slemko flowed the following:
>
>There are several bug reports on this issue.  Sigh.
>
>---------- Forwarded message ----------
>Date: Thu, 27 Mar 1997 07:10:02 -0800 (PST)
>From: Mark Bentley <bentlema@cs.umn.edu>
>Subject: suexec/269: Server-side include exec cmd with suEXEC bug
>
>An SSI such as:
>
> <!--#exec cmd="bin/myscript" -->
>
>which is relative to UserDir, doesn't work because of these lines in suEXEC:
>
>    /*
>     * Check for a '/' in the command to be executed,
>     * to protect against attacks.  If a '/' is
>     * found, error out.  Naughty naughty crackers.
>     */
>    if ((strchr(cmd, '/')) != NULL ) {
>        log_err("invalid command (%s)\n", cmd);
>        exit(104);
>    }

    How about the following patch?  I think this relaxes the restriction
    enough to be useful, whilst retaining appropriate paranoia..
    Addresses PRs #269, 319, 395.

    Warning: I have *NOT* tested this patch yet, other than to verify
    that it compiles <g>.  I don't use suexec, so it will take me a bit
    to come up to speed..

    #ken    :-)}

Index: suexec.c
===================================================================
RCS file: /export/home/cvs/apache/support/suexec.c,v
retrieving revision 1.20
diff -c -r1.20 suexec.c
*** suexec.c	1997/04/07 17:48:39	1.20
--- suexec.c	1997/04/23 15:06:47
***************
*** 264,274 ****
      }
      
      /*
!      * Check for a '/' in the command to be executed,
!      * to protect against attacks.  If a '/' is
       * found, error out.  Naughty naughty crackers.
       */
!     if ((strchr(cmd, '/')) != NULL ) {
  	log_err("invalid command (%s)\n", cmd);
  	exit(104);
      }
--- 264,279 ----
      }
      
      /*
!      * Check for a leading '/' (absolute path) in the command to be executed,
!      * or attempts to back up out of the current directory,
!      * to protect against attacks.  If any are
       * found, error out.  Naughty naughty crackers.
       */
!     if (
! 	    (cmd[0] == '/') ||
! 	    (! strncmp (cmd, "../", 3)) ||
! 	    (strstr (cmd, "/../") != NULL)
!        ) {
  	log_err("invalid command (%s)\n", cmd);
  	exit(104);
      }

Mime
View raw message