httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Sutton <p...@ukweb.com>
Subject Re: Repost: [BUG] PR#1031: ErrorDocument with type-maps
Date Wed, 03 Sep 1997 09:23:07 GMT
On Tue, 2 Sep 1997, Dean Gaudet wrote:
> On Wed, 27 Aug 1997, Lars Eilebrecht wrote:
> 
> > Any ideas why ErrorDocuments to .var files are broken?
> 
> Did it ever "work"?

Yeah, it worked prior to version 1.43 of mod_negotiation.c. It stopped
with the patch (below) associated with the log message: 

date: 1997/06/24 03:03:49;  author: dgaudet;  state: Exp;  lines: +9 -6
  Fix a few security problems.  Avoid problems with pipes, sockets, etc.
  in the filesystem.  Use sub_req_lookup_file for various functions that
  open ancillary files, so that they have to pass the symlink tests.
  Also disallow slashes in HeaderName and ReadmeName to avoid
  ../../../hacks.o

The problem is that read_type_map() now checks to see if the status of the
request in progress is not HTTP_OK and if it is not, returns that status.
Unfortunately when an error document starts it inherits the main
document's error code (e.g. HTTP_NOT_FOUND) in
internal_internal_redirect(). 

Two possible fixes are 

 a. get send_error_response() to reset r->status to HTTP_OK on the
    subrequest
 b. remove the check for r->status in read_type_map().

Both of these are likely to have security implications though.

//pcs

Index: mod_negotiation.c
===================================================================
RCS file: /export/home/cvs/apachen/src/modules/standard/mod_negotiation.c,v
retrieving revision 1.42
retrieving revision 1.43
diff -u -r1.42 -r1.43
--- mod_negotiation.c	1997/06/17 00:09:14	1.42
+++ mod_negotiation.c	1997/06/24 03:03:49	1.43
@@ -645,17 +645,20 @@
     return cp;
 }
 
-int read_type_map (negotiation_state *neg, char *map_name)
+static int read_type_map (negotiation_state *neg, request_rec *rr)
 {
     request_rec *r = neg->r;
-    FILE *map = pfopen (neg->pool, map_name, "r");
-
+    FILE *map;
     char buffer[MAX_STRING_LEN];
     enum header_state hstate;
     struct var_rec mime_info;
     
+    if (rr->status != HTTP_OK) {
+	return rr->status;
+    }
+    map = pfopen (neg->pool, rr->filename, "r");
     if (map == NULL) {
-        log_reason("cannot access type map file", map_name, r);
+        log_reason("cannot access type map file", rr->filename, r);
 	return FORBIDDEN;
     }
 
@@ -783,7 +786,7 @@
 	    closedir(dirp);
 	    
 	    neg->avail_vars->nelts = 0;
-	    return read_type_map (neg, sub_req->filename);
+	    return read_type_map (neg, sub_req);
 	}
 	
 	/* Have reasonable variant --- gather notes.
@@ -1853,7 +1856,7 @@
     
     char *udir;
     
-    if ((res = read_type_map (neg, r->filename))) return res;
+    if ((res = read_type_map (neg, r))) return res;
     
     maybe_add_default_encodings(neg, 0);
     



Mime
View raw message