httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ed Korthof>
Subject [PATCH] Apache 1.2.5 -- security fix for name-based vhosts
Date Mon, 26 Jan 1998 19:28:48 GMT
I posted a patch much like this some months ago, but Dean pointed out that
it still had a few problems.  So far as I can see, this covers all of
those; check_fulluri and reduce_uri (in mod_rewrite) can mess with
r->filename (removing http[s]://{hostname}[:{port}]), but they don't
change r->server, which is where the security hole lies.

It also fixes check_fulluri to work for virtual hosts w/ a wildcard port
and/or multiple ports.

It also fixes check_serverpath, which should make sure the server in
question can possibly be listening for this request (note that one of
either check_hostalias and check_serverpath will run).

It's not needed for 1.3, since Dean's rewrite of the vhost code fixed it
in that.

Someone asked about where/if we keep track of the port the client's
actually connected to -- it's in


(this is an saddr_in struct which is constructed by the system libraries).

     -- Ed Korthof        |  Web Server Engineer --
     --    |  Organic Online, Inc --
     -- (415) 278-5676    |  Fax: (415) 284-6891 --

View raw message