Return-Path: Delivered-To: new-httpd-archive@hyperreal.org Received: (qmail 10348 invoked by uid 6000); 26 Jan 1998 20:45:39 -0000 Received: (qmail 10338 invoked from network); 26 Jan 1998 20:45:38 -0000 Received: from twinlark.arctic.org (204.62.130.91) by taz.hyperreal.org with SMTP; 26 Jan 1998 20:45:38 -0000 Received: (qmail 16837 invoked by uid 500); 26 Jan 1998 20:53:37 -0000 Date: Mon, 26 Jan 1998 12:53:37 -0800 (PST) From: Dean Gaudet To: Stipe Tolj cc: Apache HTTP Server Mailing List Subject: Re: Apache 1.2.5 Win32 CYGWIN32 support patch In-Reply-To: Message-ID: X-Comment: Visit http://www.arctic.org/~dgaudet/legal for information regarding copyright and disclaimer. Organization: Transmeta Corp. MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="-559023410-851401618-885494239=:29047" Content-ID: Sender: new-httpd-owner@apache.org Precedence: bulk Reply-To: new-httpd@apache.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. ---559023410-851401618-885494239=:29047 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: Some comments, in addition to what Brian said, although I'm not sure you're on the development list so you may not have seen Brian's remarks. I encourage you to join the development list and assist with the win32 effort in 1.3. - you should #define NO_KILLPG in conf.h rather than create another definition in http_main.c. In fact it looks like you didn't even provide a conf.h section for CYGWIN32 at all. This is the normal way to do a port, there are a lot of examples in conf.h. - portability patches should not include new features mixed in - if you disable the longjmps as you have timeouts are completely broken, this isn't exactly a good thing - your patch does not deal with file system case-insensitivity, or 8.3 names... which makes it insecure - you've removed the daemons_max_free test... and not replaced it with anything... so the server won't respect MaxSpareServers Unfortunately I really don't think we can accept this patch, it would make the situation worse than it is now in my opinion. Even some of our more obscure ports for ancient unix platforms and mainframe platforms would be more stable... and since win32 is such a wide-spread platform it would due us harm to support it so poorly (in 1.2 that is). But I did notice one thing that the other win32 folks here should check on: + /* + * CAUTION: Security leak on Win32 systems in the next if statement. + * Clients may override document_root by /....... + */ + + /* _###_ by ST. */ if (allow_opts & OPT_INDEXES) + + /* + * Check for /..... overriding for Win32. A maximum of 2 dots + * is allowed, if more dots are within the path deny + * access to index. Seems to work. + */ + +#ifdef CYGWIN32 /* _###_ by ST. */ + if (strstr(r->filename, "...") != NULL) { + log_reason ("Directory index forbidden by rule", r->filename, r); + return HTTP_FORBIDDEN; + } else return index_directory (r, d); +#else return index_directory (r, d); +#endif + I remember this from DOS days, you could use a whack of ..... to go up a bunch of directories. I wasn't aware this always worked... but maybe it works on win95. I don't think we currently test for this in 1.3. Laters Dean ---559023410-851401618-885494239=:29047--