httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Kraemer <>
Subject [PATCH] fix pcfg_openfile() (was: mod_auth-any/1672: Authentication / .htaccess DoS attack)
Date Thu, 15 Jan 1998 11:12:36 GMT
On Wed, Jan 14, 1998 at 02:50:01PM -0600, Igor Tatarinov wrote:
> But why not do this checking in mod_auth ?
> or pcfg_openfile might be the right function to fix.

I think that's a sensible idea. The number of pcfg_openfile() calls is
limited to reading the config files, the htpasswd files, the .htaccess
files, in short all those files where it is not acceptable to read
from devices (or directories ;-).

Why not add another fstat() and check for S_IFREG()? The appended patch
does that (and fixes some more bugs in pcfg_openfile():
    * the debug message was at the wrong place and would print an arbitraty
      setting of errno
    * filename==NULL was only checked in the debug message, but not in the
      corresponding fopen()

| S I E M E N S |  <>  |      Siemens Nixdorf
| ------------- |   Voice: +49-89-636-46021     |  Informationssysteme AG
| N I X D O R F |   FAX:   +49-89-636-44994     |   81730 Munich, Germany
~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request

View raw message