httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexei Kosut <ako...@leland.Stanford.EDU>
Subject Re: FindFirstFile
Date Sat, 04 Jul 1998 20:24:01 GMT
On Sat, 4 Jul 1998, Marc Slemko wrote:

> Oh.  
> 
> So if you do FindFirstFile on one of the varient names for a file, does it
> give the real name or the varient?

The variant. Its only use here is to "confirm" that the file really
exists, I suppose. If it did canonicalize the filename, then the way
os_canonical_filename() uses it would, too.

> If it gives the varient, then it is screwed to hell.

Nah, it works as well as the rest of Windows.

I've been looking at
mk:@ivt:pdwbase/native/sdk/win32/sys/src/filesio_4.htm ("Filename
Conventions") and related documentation, and all I have to say is "blah".

I am now seriously thinking that os_canonical_filename(), instead of
silently rewriting filenames to conform to Apache's idea of what a file
should look like, should only confirm that it does. If not, it should
return NULL and Apache can return a 403, log "%s is not a canonical form
of a filename" and get on with life.

That would make the function simpler, too... toss out any filename with
one of < > | " or : (none of which are valid, except the colon as a drive
seperator), toss out any filename that has a dot or a space at the end of
a path segment, and run GetFullPathName() on each segment, and if it
doesn't match, toss it out. It might even check QueryDosDevice() to make
sure someone isn't trying to mess with devices (although I don't think
that works anyway).

This has the added benefit of not screwing up dots and slashes in
PATH_INFO, as the current os_canonical_filename() does.

I'll see about a patch tonight. June 24th has passed, but there are enough
concerns with this that I think we should aim for 1.3.1, with all the
Win32 security fixes we can muster, ASAP.

-- Alexei Kosut <akosut@stanford.edu> <http://www.stanford.edu/~akosut/>
   Stanford University, Class of 2001 * Apache <http://www.apache.org> *



Mime
View raw message