httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Manoj Kasichainula <man...@raleigh.ibm.com>
Subject [PATCH] PR #2355 and very minor security hole fix
Date Fri, 17 Jul 1998 22:37:17 GMT
Attached is a proposed fix for PR 2355. With this patch, Apache uses
ap_sub_rec_lookup_file to get the filename specified in a "file="
parameter (for example, in an flastmod or fsize call).

Right now, it is possible to invoke SSI commands such as flastmod and
fsize to obtain information about files in the server root on Win32.
For example,

<!--#flastmod file="apache.exe"-->
  
has been tested to return a result on a Win32 server. Using
ap_sub_rec_lookup_file to get the file name closes this minor hole as
well.

-- 
Manoj Kasichainula - manojk@raleigh.ibm.com
IBM - Research Triangle Park, NC
ADTI, IBM Apache Development Team

Mime
View raw message