httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@kiwi.ICS.UCI.EDU>
Subject Re: big bug in 1.2b9
Date Mon, 28 Apr 1997 05:08:54 GMT
That just restores the bug that I was trying to fix.  We don't want to
release this.

The function should be creating an argument for each keyword in
   one+two+three+four

If necessary, just go back to the version before the bug was introduced
(I think it was 1.31) and restore the original extraction code (the part
of it that handles the reqargs).  OTOH, it should be possible to just loop
through char by char, put a '\0' at the '+', and place the saved
pos of the start of each keyword in the ar[].

Aww heck, I'm at home right now, but I'll gen a patch.

......Roy

In message <Pine.BSF.3.95q.970427173108.22103A-100000@valis.worldgate.com>, Mar
c Slemko writes:
>The problem looks to be in craete_argv, the:
>
>    while ((idx < APACHE_ARG_MAX) && ((t = strtok(args, "+")) != NULL)) {
>        unescape_url(t);
>        av[idx++] = escape_shell_cmd(p, t);
>    }
>
>loop doesn't terminate.  I really don't understand how that is supposed to
>work.  Ah.  Ok, the strtok call is messed up.
>
>The following patch seems to fix it, although it isn't the cleanest way of
>doing it.
>
>Index: util_script.c
>===================================================================
>RCS file: /export/home/cvs/apache/src/util_script.c,v
>retrieving revision 1.53
>diff -c -r1.53 util_script.c
>*** util_script.c	1997/04/27 07:14:02	1.53
>--- util_script.c	1997/04/27 23:36:11
>***************
>*** 79,84 ****
>--- 79,85 ----
>      char *t;
>      char *args = pstrdup(p, reqargs);
>      int idx = 0;
>+     char *strtok_arg = args;
>  
>      av = (char **)palloc(p, APACHE_ARG_MAX * sizeof(char *));
>      
>***************
>*** 91,97 ****
>  
>      av[idx++] = av0;
>      
>!     while ((idx < APACHE_ARG_MAX) && ((t = strtok(args, "+")) != NULL)) {
>  	unescape_url(t);
>  	av[idx++] = escape_shell_cmd(p, t);
>      }
>--- 92,99 ----
>  
>      av[idx++] = av0;
>      
>!     while ((idx < APACHE_ARG_MAX) && ((t = strtok(strtok_arg, "+")) != NULL)
>) {
>!         strtok_arg = NULL;
>  	unescape_url(t);
>  	av[idx++] = escape_shell_cmd(p, t);
>      }
>
>
>On Sun, 27 Apr 1997, Dean Gaudet wrote:
>
>> In the past we've just gone direct to the next beta in this case... it's
>> the safest.  I'll remove the 1.2b9 tarball for now.
>> 
>> Dean
>> 
>> On Sun, 27 Apr 1997, Marc Slemko wrote:
>> 
>> > try a script accessing something like foo.cgi?bar.  bar will be passed a
>> > zillion times in argv.  Happens even without suexec.
>> > 
>> > I haven't followed those changes so I don't know what is going on, but I
>> > will take a look...
>> > 
>> > A bit late to hold release of 1.2b9.  Sigh.  We could temporarily remove
>> > the tarball then remake it if people don't mind having two different
>> > 1.2b9s out there...
>> > 
>> > 
>> 
>


Mime
View raw message