httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Date Mon, 05 Jun 2000 03:18:22 GMT
> From: William A. Rowe, Jr. []
> Sent: Saturday, June 03, 2000 10:00 PM
> Here is a reworking of some additional util_win32.c security testing,
> but still not what Marc is discussing.  I've been drawn to the fact
> that relatively obscure device drivers may be installed that are outside
> the 'standard' exclusions list.  These extra tests are also a performance
> drain, although they affect only 3-4 character name segments.   Howdy.html
> isn't impacted, but a tree like /docs/app/rev/ is heavily impacted.
> Please review, and comment.
> Note that FILE_ATTRIBUTE_NORMAL, or value 0x80, has been a device
> driver file flag for many, many years.  I believe, based on the fact
> that we test -every- segment to the end name, that this would also
> maintain security against the well-publicized Windows 95 security hole
> against multiple device names in the path; i.e. 
> /con/con/nul/blowup.html 

Tim Costello and I have been comparing notes all weekend on this issue.

The patch fails in the context of the WinNT file system(s).  WinNT no
longer associates 0x80 with a device, and in fact -returns- that value
if no other flags are set (this behavior differs from it's pre-NT
cousins, which returned 0x80 for devices?)

So with that said, I set out to dump the fields.  FileTime.c is attached.
Interesting, but under NT the dates are all NULL for devices (Date 
Modified is the only reliable indicator across all file systems.)  
Also, size is 0, and the reserved fields appear to be consistently zero 
(I don't trust that as a security instrument, would you :-?)

And I proceeded to use the QueryDosDevices() call, the source for that
test is also attached.  Unfortunately, there seems to be no way to query
the global/local flag of the device.

Any additional thoughts are greatly desired, or I will be withdrawing that
patch submission entirely :-(


ps... looked at this function, but it is worthless while we are testing access allowed:

DWORD GetFileType(HANDLE hFile); 


FILE_TYPE_UNKNOWN  is unknown.  
FILE_TYPE_DISK  is a disk file. 
FILE_TYPE_CHAR  is a character file, typically an LPT device or a console. 
FILE_TYPE_PIPE  is either a named or anonymous pipe. 

View raw message