httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: cvs commit: apache-1.3/src/modules/standard mod_userdir.c
Date Thu, 25 Jan 2001 23:07:06 GMT
I've been inside and outside of this patch, and something has me -very-
concerned.

> wrowe       01/01/25 14:59:37
> 
>   Modified:    src/modules/standard mod_userdir.c
>   Log:
>     The netware solution is far safer, IMHO, for the OS2/Win32 code path
>     as well. There is no remaining issue here for the three platforms.
>     It fails if the * isn't suffixed by a slash, but that is the correct
>     form in the context of security.
>   
>   Revision  Changes    Path
>   1.48      +3 -15     apache-1.3/src/modules/standard/mod_userdir.c
>   
>   Index: mod_userdir.c
>   ===================================================================
>   RCS file: /home/cvs/apache-1.3/src/modules/standard/mod_userdir.c,v
>   retrieving revision 1.47
>   retrieving revision 1.48
>   diff -u -r1.47 -r1.48
>   --- mod_userdir.c 2001/01/25 22:01:29 1.47
>   +++ mod_userdir.c 2001/01/25 22:59:36 1.48
>   @@ -266,7 +266,7 @@
>        while (*userdirs) {
>            const char *userdir = ap_getword_conf(r->pool, &userdirs);
>            char *filename = NULL;
>   -#if defined(NETWARE)
>   +#if defined(NETWARE) || defined(HAVE_DRIVE_LETTERS)
>            int is_absolute = ap_os_is_path_absolute(userdir);
>    #endif 
>    
>   @@ -275,16 +275,8 @@
>    
>    if (userdir[0] == '\0' || userdir[0] == '/') {
[snip]

This is -effectively- the very same test as before.  NOW the problem.  I _really_
believe the original author ment to test ap_os_is_path_absolute(), but -NOT-
of the parsed userdir, but the source userdir!

If anyone out there believes me strongly enough to agree, please comment out the
#ifdef exclusion of unix above, and change the (userdir[0] == '/') test to 
for (is_absolute) instead, and we can all sleep well tonight.

I have a few obligations that -don't- involve a PC tonight, so I can't revisit
this.  It does what it did before, a little cleaner, but what it hasn't changed.
The problem that I believe remains was a pre-existing bug.

Bill




Mime
View raw message