httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject Re: [PATCH] Apache 1.2.5 -- security fix for name-based vhosts
Date Wed, 28 Jan 1998 10:38:10 GMT
This looks good.  It seems to preserve a bunch of the quirky 1.2 vhost
behaviour.  I really hope we can get some 1.2 guinea pigs to try it out
before we do a 1.2.6 release though.  I've got a 1.2 machine somewhere
that I'll upgrade with it. 

I'm changing all the strcmp/strncmps to strcasecmp/strncasecmp ... I just
noticed that we're in violation of rfc2068 section 3.2.3: 

    o Comparisons of scheme names MUST be case-insensitive

We've got case-sensitive comparisions of http:// here and there.  I'll fix
that in 1.3 in a few minutes. 

You've got a comment: 

          /* we still might want to do something below (ie. set r->proxyreq) */

I'm pretty sure that behaviour changed in 1.3 ... but we can leave it
alone for 1.2.  i.e. it's odd that ServerName is treated a bit different
here. 

Dean

On Mon, 26 Jan 1998, Ed Korthof wrote:

> I posted a patch much like this some months ago, but Dean pointed out that
> it still had a few problems.  So far as I can see, this covers all of
> those; check_fulluri and reduce_uri (in mod_rewrite) can mess with
> r->filename (removing http[s]://{hostname}[:{port}]), but they don't
> change r->server, which is where the security hole lies.
> 
> It also fixes check_fulluri to work for virtual hosts w/ a wildcard port
> and/or multiple ports.
> 
> It also fixes check_serverpath, which should make sure the server in
> question can possibly be listening for this request (note that one of
> either check_hostalias and check_serverpath will run).
> 
> It's not needed for 1.3, since Dean's rewrite of the vhost code fixed it
> in that.
> 
> Someone asked about where/if we keep track of the port the client's
> actually connected to -- it's in
> 
> r->connection->local_addr.sin_port
> 
> (this is an saddr_in struct which is constructed by the system libraries).
> 
>      -- Ed Korthof        |  Web Server Engineer --
>      -- ed@organic.com    |  Organic Online, Inc --
>      -- (415) 278-5676    |  Fax: (415) 284-6891 --
> 
> 

Mime
  • Unnamed multipart/mixed (inline, None, 0 bytes)
View raw message