httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: 2.0.26?
Date Fri, 31 Aug 2001 04:45:09 GMT
From: "Cliff Woolley" <>
Sent: Thursday, August 30, 2001 11:38 PM

> On Thu, 30 Aug 2001, William A. Rowe, Jr. wrote:
> > Gut instinct?  The "INTERNAL FOONESS" uri's which are now going
> > through <Location> walk, we have to think those through.
> You're right:
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 1024 (LWP 20591)]
> ap_getparents (name=0x80e0420 "INTERNALLY GENERATED file-relative req")
>     at util.c:488
> 488                 name[w++] = name[l++];
> (gdb) bt
> #0  ap_getparents (name=0x80e0420 "INTERNALLY GENERATED file-relative
> req")
>     at util.c:488
> #1  0x080e0420 in core_cmds () at eval.c:41
> #2  0x080b9912 in ap_process_request_internal (r=0x8159acc) at
> request.c:152
> #3  0x080bacf4 in ap_sub_req_lookup_file (new_file=0xbfffaf50 "if4.shtml",
>     r=0x8155aac, next_filter=0x8156c34) at request.c:1672

I suggest we handle this as follows; r->uri becomes NULL.  If a hook fn doesn't
like it, it needs to decline.  Where we go an reject the URI out of hand, let's
also test for r->main, and if we have a parent, then let it slide.  If we don't
(we are the main request) we can cough up a 500 if there was a leading slash
or asterisk on the original uri, or a 400 if there was not.

I've had it (for tonight.)  I'll be happy to pick back up anything necessary in
the morning, and will finish my audit of the overall delta after we pin this
down.  But I would much rather see non-file requests get r->filename of NULL
(what about mime filename extensions?  I don't think they should apply to 
non-files) and r->uri of NULL for truly bogus internal redirects.

I know this will break some 3rd party modules.  This is 2.0, and we are working
to _help_ them avoid the bugtrac reports on their modules.  I'd think getting 
this right (in this day and age of the hourly new exploit) is far perferable to
inconviencing an author with a set of five new rules.  {Ok ok... this will get
documented once decisions are reached!}


View raw message