httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Cliff Skolnick <cl...@steam.com>
Subject Re: [patch] mod_access/3821
Date Sun, 21 Mar 1999 00:04:32 GMT

The patch I made is a simple check against the array, rather than the "right
thing" for everyone.  It protects against an out of bounds access of the
array, which is not a bad idea in the first place since it is very light
weight.  I thought it would be safer to deny the request than allow it to
give a conservative behavior.

As for "still allow", before this patch you were getting random behavior.
Now the right thing would be to probably add another method that you could
use that would give you the behavior you need, and increase the size of the
array.  This is the long term fix for the bug, any my patch will not
interfere with any valid method.

Cliff

On Sat, 20 Mar 1999, Greg Stein wrote:

> Will this still allow somebody to use Limit and LimitExcept to allow an
> M_INVALID operation against that directory or its contents? For example,
> there are some additional DAV operations that Apache classifies as
> M_INVALID, but I still need to interpret. There would be no way to do
> that if mod_access unconditionally punted all M_INVALID operations.
> 
> thx
> -g
> 
> Cliff Skolnick wrote:
> > 
> > Here's a quick patch that will tag all M_INVALID check_dir_access calls
> > as FORBIDDEN.
> > 
> > Cliff
> > 
> > Index: apache-1.3/src/modules/standard/mod_access.c
> > ===================================================================
> > RCS file: /home/cvs/apache-1.3/src/modules/standard/mod_access.c,v
> > retrieving revision 1.38
> > diff -u -r1.38 mod_access.c
> > --- mod_access.c        1999/01/01 19:05:06     1.38
> > +++ mod_access.c        1999/03/20 22:28:00
> > @@ -353,7 +353,10 @@
> >      ap_get_module_config(r->per_dir_config, &access_module);
> >      int ret = OK;
> > 
> > -    if (a->order[method] == ALLOW_THEN_DENY) {
> > +    if (method >= METHODS) {
> > +       ret = FORBIDDEN;
> > +    }
> > +    else if (a->order[method] == ALLOW_THEN_DENY) {
> >         ret = FORBIDDEN;
> >         if (find_allowdeny(r, a->allows, method))
> >             ret = OK;
> > 
> > --
> > Cliff Skolnick
> > Steam Tunnel Operations
> > cliff@steam.com
> > http://www.steam.com/
> 
> --
> Greg Stein, http://www.lyra.org/
> 

--
Cliff Skolnick
Steam Tunnel Operations
cliff@steam.com
http://www.steam.com/


Mime
View raw message