httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ed Korthof ...@organic.com>
Subject [PATCH] Apache 1.2.5 -- security fix for name-based vhosts
Date Mon, 26 Jan 1998 19:28:48 GMT
I posted a patch much like this some months ago, but Dean pointed out that
it still had a few problems.  So far as I can see, this covers all of
those; check_fulluri and reduce_uri (in mod_rewrite) can mess with
r->filename (removing http[s]://{hostname}[:{port}]), but they don't
change r->server, which is where the security hole lies.

It also fixes check_fulluri to work for virtual hosts w/ a wildcard port
and/or multiple ports.

It also fixes check_serverpath, which should make sure the server in
question can possibly be listening for this request (note that one of
either check_hostalias and check_serverpath will run).

It's not needed for 1.3, since Dean's rewrite of the vhost code fixed it
in that.

Someone asked about where/if we keep track of the port the client's
actually connected to -- it's in

r->connection->local_addr.sin_port

(this is an saddr_in struct which is constructed by the system libraries).

     -- Ed Korthof        |  Web Server Engineer --
     -- ed@organic.com    |  Organic Online, Inc --
     -- (415) 278-5676    |  Fax: (415) 284-6891 --


Mime
View raw message