Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 9119 invoked from network); 4 Feb 2004 16:49:19 -0000 Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12) by minotaur-2.apache.org with SMTP; 4 Feb 2004 16:49:19 -0000 Received: (qmail 83749 invoked by uid 500); 4 Feb 2004 16:48:34 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 83681 invoked by uid 500); 4 Feb 2004 16:48:33 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 83565 invoked from network); 4 Feb 2004 16:48:32 -0000 Received: from unknown (HELO protheus.dev.wapme.net) (62.96.19.66) by daedalus.apache.org with SMTP; 4 Feb 2004 16:48:32 -0000 Received: from mail6.wapme.net ([62.96.19.131] helo=wapme-systems.de) by protheus.dev.wapme.net with esmtp (SSLv3:RC4-MD5:128) (Exim 4.24) id HSKK96-0001R4-GX; Wed, 04 Feb 2004 17:53:30 +0100 Message-ID: <40212270.65A0C43F@wapme-systems.de> Date: Wed, 04 Feb 2004 17:48:48 +0100 From: Stipe Tolj Organization: Wapme Systems AG X-Mailer: Mozilla 4.78 [de] (Windows NT 5.0; U) X-Accept-Language: de MIME-Version: 1.0 To: "dev@httpd.apache.org" CC: Martin Kraemer Subject: [SECURITY-PATCH] cygwin: Apache 1.3.29 and below directory traversal vulnerability Content-Type: multipart/mixed; boundary="------------51B117E110954B0956A7085C" X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N Dies ist eine mehrteilige Nachricht im MIME-Format. --------------51B117E110954B0956A7085C Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Hi list, attached patch fixes the bug# 26152 as described in http://nagoya.apache.org/bugzilla/show_bug.cgi?id=26152 Main purpose was to handle backslashes in the URI to avoid misleading interpretation via the underlying cygwin OS layer, which allows backslashes as directory delimiters. Therefore src/os/cygwin/util_cygwin.c implements it's own ap_os_canonical_filename() routine to map backslashes to slashes and relly on the afterlying directory_walk() and file_walk() security mechanisms. Please review and apply to cvs. I will update the binary apache 1.3.29-x distribution package for the cygwin net distribution with this fix. Stipe mailto:tolj@wapme-systems.de ------------------------------------------------------------------- Wapme Systems AG M�nsterstr. 248 40470 D�sseldorf, NRW, Germany phone: +49.211.74845.0 fax: +49.211.74845.299 mailto:info@wapme-systems.de http://www.wapme-systems.de/ ------------------------------------------------------------------- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.2.2 (Cygwin) mIsEP6mcYwEEAMDnUiUwrbb+xwTFWN6TxF2+XZu7/alwJMeCwMBRvXtPZqfjpPhS OkBpU0F4TrVuugz1HINTSaJTYq10AzDQXp5NkyWgckqW79nPAWuOX0dicbJk+cN2 nM2TI4KaxUDe6u8hghNEnH/i2lXsUu9apnP/iixzV81VC2je3uc9hZpnAAYptEVT dGlwZSBUb2xqIChUZWNobm9sb2d5IENlbnRlciAmIFJlc2VhcmNoIExhYikgPHRv bGpAd2FwbWUtc3lzdGVtcy5kZT6ItAQTAQIAHgUCP6mcYwIbAwYLCQgHAwIDFQID AxYCAQIeAQIXgAAKCRABV0w1BqPYRuSqA/wPzsQxao2YePENCtgRTrO86U6zg3sl OcS6CJFI4FZP5h/xD3GRsNH1+MPSvZlomDdpFnr547DGz/Kq9MXuQwVvlVig5yWZ K5dtKp1r5YLhxJQBhfirZbRFFnYmf19f18J8OoS28tuFVftDl1AIwJS3HLyBTv6H g2HyLAEKQIp30Q== =aYCI -----END PGP PUBLIC KEY BLOCK----- --------------51B117E110954B0956A7085C Content-Type: application/x-unknown-content-type-diff_auto_file; name="apache_1.3.29-cygwin-bug-26152.diff" Content-Transfer-Encoding: base64 Content-Disposition: inline; filename="apache_1.3.29-cygwin-bug-26152.diff" ZGlmZiAtdXJOIGFwYWNoZV8xLjMuMjkvc3JjL29zL2N5Z3dpbi9NYWtlZmlsZS50bXBsIGFw YWNoZV8xLjMuMjktY3lnd2luL3NyYy9vcy9jeWd3aW4vTWFrZWZpbGUudG1wbAotLS0gYXBh Y2hlXzEuMy4yOS9zcmMvb3MvY3lnd2luL01ha2VmaWxlLnRtcGwJMjAwMS0wNC0wMiAxMToy MjoxMC4wMDAwMDAwMDAgKzAyMDAKKysrIGFwYWNoZV8xLjMuMjktY3lnd2luL3NyYy9vcy9j eWd3aW4vTWFrZWZpbGUudG1wbAkyMDA0LTAyLTA0IDE3OjE0OjI3LjYwMDQ4MTYwMCArMDEw MApAQCAtMyw3ICszLDcgQEAKIElOQ0xVREVTPSQoSU5DTFVERVMxKSAkKElOQ0xVREVTMCkg JChFWFRSQV9JTkNMVURFUykKIExERkxBR1M9JChMREZMQUdTMSkgJChFWFRSQV9MREZMQUdT KQogCi1PQkpTPQlvcy5vIG9zLWlubGluZS5vCitPQkpTPQlvcy5vIG9zLWlubGluZS5vIHV0 aWxfY3lnd2luLm8KIAogTElCPQlsaWJvcy5hCiAKQEAgLTM3LDYgKzM3LDEyIEBACiAKICQo T0JKUyk6IE1ha2VmaWxlCiAKKyQoSU5DRElSKS9vcy5oOiBvcy5oCisJY3AgJDwgJEAKKwkK KyQoSU5DRElSKS9vcy1pbmxpbmUuYzogb3MtaW5saW5lLmMKKwljcCAkPCAkQAorCiAjIERP IE5PVCBSRU1PVkUKIG9zLWlubGluZS5vOiBvcy1pbmxpbmUuYyAkKElOQ0RJUikvYXBfY29u ZmlnLmggXAogICQoSU5DRElSKS9hcF9tbW4uaCAkKElOQ0RJUikvYXBfY29uZmlnX2F1dG8u aCBcCkBAIC00NCwzICs1MCw4IEBACiBvcy5vOiBvcy5jICQoSU5DRElSKS9hcF9jb25maWcu aCAkKElOQ0RJUikvYXBfbW1uLmggXAogICQoSU5DRElSKS9hcF9jb25maWdfYXV0by5oICQo T1NESVIpL29zLmggXAogICQoSU5DRElSKS9hcF9jdHlwZS5oICQoSU5DRElSKS9oc3JlZ2V4 Lmggb3MuaAordXRpbF9jeWd3aW4ubzogdXRpbF9jeWd3aW4uYyAkKElOQ0RJUikvaHR0cGQu aCAkKElOQ0RJUikvYXBfY29uZmlnLmggXAorICQoSU5DRElSKS9hcF9tbW4uaCAkKElOQ0RJ UikvYXBfY29uZmlnX2F1dG8uaCBcCisgJChJTkNESVIpL29zLmggJChJTkNESVIpL29zLWlu bGluZS5jICQoSU5DRElSKS9hcF9jdHlwZS5oIFwKKyAkKElOQ0RJUikvaHNyZWdleC5oICQo SU5DRElSKS9hcF9hbGxvYy5oICQoSU5DRElSKS9idWZmLmggXAorICQoSU5DRElSKS9hcC5o ICQoSU5DRElSKS91dGlsX3VyaS5oICQoSU5DRElSKS9odHRwX2xvZy5oCmRpZmYgLXVyTiBh cGFjaGVfMS4zLjI5L3NyYy9vcy9jeWd3aW4vb3MuaCBhcGFjaGVfMS4zLjI5LWN5Z3dpbi9z cmMvb3MvY3lnd2luL29zLmgKLS0tIGFwYWNoZV8xLjMuMjkvc3JjL29zL2N5Z3dpbi9vcy5o CTIwMDMtMDItMDMgMTg6MTM6MzIuMDAwMDAwMDAwICswMTAwCisrKyBhcGFjaGVfMS4zLjI5 LWN5Z3dpbi9zcmMvb3MvY3lnd2luL29zLmgJMjAwNC0wMi0wNCAxNzoxNDoyNy42MzA1MjQ4 MDAgKzAxMDAKQEAgLTg4LDYgKzg4LDEwIEBACiAjZGVmaW5lIFBMQVRGT1JNICJDeWd3aW4i CiAjZW5kaWYKIAorLyogZGVmaW5lIHRoYXQgd2UgaW1wbGVtZW50IG91ciBvd24gYXBfb3Nf Y2Fub25pY2FsX2ZpbGVuYW1lKCkgdG8gCisgKiBjaXJjdW12ZW50IGJhY2tzbGFzaCBzZWN1 cml0eSBob2xlcyBpbiBjeWd3aW4gcGF0aCBwcm9jZXNzaW5nLiAqLworI2RlZmluZSBIQVZF X0NBTk9OSUNBTF9GSUxFTkFNRQorCiAvKiAKICAqIERlZmluZSB3aW5zb2NrLmggYW5kIHdp bnNvY2syLmggc3R1ZmYgdGFrZW4gZnJvbSBXaW4zMiBBUEkgaW4gY2FzZSB3ZSAgCiAgKiB3 YW50IHRvIGRvIHNvY2tldCBjb21tdW5pY2F0aW9uIGluIFdpbjMyIG5hdGl2ZSB3YXkgcmF0 aGVyIHRoZW4gdXNpbmcgCmRpZmYgLXVyTiBhcGFjaGVfMS4zLjI5L3NyYy9vcy9jeWd3aW4v dXRpbF9jeWd3aW4uYyBhcGFjaGVfMS4zLjI5LWN5Z3dpbi9zcmMvb3MvY3lnd2luL3V0aWxf Y3lnd2luLmMKLS0tIGFwYWNoZV8xLjMuMjkvc3JjL29zL2N5Z3dpbi91dGlsX2N5Z3dpbi5j CTE5NzAtMDEtMDEgMDE6MDA6MDAuMDAwMDAwMDAwICswMTAwCisrKyBhcGFjaGVfMS4zLjI5 LWN5Z3dpbi9zcmMvb3MvY3lnd2luL3V0aWxfY3lnd2luLmMJMjAwNC0wMi0wNCAxNzoxNDoy Ny42NDA1MzkyMDAgKzAxMDAKQEAgLTAsMCArMSw4MSBAQAorLyogPT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0K KyAqIFRoZSBBcGFjaGUgU29mdHdhcmUgTGljZW5zZSwgVmVyc2lvbiAxLjEKKyAqCisgKiBD b3B5cmlnaHQgKGMpIDIwMDAtMjAwMyBUaGUgQXBhY2hlIFNvZnR3YXJlIEZvdW5kYXRpb24u ICBBbGwgcmlnaHRzCisgKiByZXNlcnZlZC4KKyAqCisgKiBSZWRpc3RyaWJ1dGlvbiBhbmQg dXNlIGluIHNvdXJjZSBhbmQgYmluYXJ5IGZvcm1zLCB3aXRoIG9yIHdpdGhvdXQKKyAqIG1v ZGlmaWNhdGlvbiwgYXJlIHBlcm1pdHRlZCBwcm92aWRlZCB0aGF0IHRoZSBmb2xsb3dpbmcg Y29uZGl0aW9ucworICogYXJlIG1ldDoKKyAqCisgKiAxLiBSZWRpc3RyaWJ1dGlvbnMgb2Yg c291cmNlIGNvZGUgbXVzdCByZXRhaW4gdGhlIGFib3ZlIGNvcHlyaWdodAorICogICAgbm90 aWNlLCB0aGlzIGxpc3Qgb2YgY29uZGl0aW9ucyBhbmQgdGhlIGZvbGxvd2luZyBkaXNjbGFp bWVyLgorICoKKyAqIDIuIFJlZGlzdHJpYnV0aW9ucyBpbiBiaW5hcnkgZm9ybSBtdXN0IHJl cHJvZHVjZSB0aGUgYWJvdmUgY29weXJpZ2h0CisgKiAgICBub3RpY2UsIHRoaXMgbGlzdCBv ZiBjb25kaXRpb25zIGFuZCB0aGUgZm9sbG93aW5nIGRpc2NsYWltZXIgaW4KKyAqICAgIHRo ZSBkb2N1bWVudGF0aW9uIGFuZC9vciBvdGhlciBtYXRlcmlhbHMgcHJvdmlkZWQgd2l0aCB0 aGUKKyAqICAgIGRpc3RyaWJ1dGlvbi4KKyAqCisgKiAzLiBUaGUgZW5kLXVzZXIgZG9jdW1l bnRhdGlvbiBpbmNsdWRlZCB3aXRoIHRoZSByZWRpc3RyaWJ1dGlvbiwKKyAqICAgIGlmIGFu eSwgbXVzdCBpbmNsdWRlIHRoZSBmb2xsb3dpbmcgYWNrbm93bGVkZ21lbnQ6CisgKiAgICAg ICAiVGhpcyBwcm9kdWN0IGluY2x1ZGVzIHNvZnR3YXJlIGRldmVsb3BlZCBieSB0aGUKKyAq ICAgICAgICBBcGFjaGUgU29mdHdhcmUgRm91bmRhdGlvbiAoaHR0cDovL3d3dy5hcGFjaGUu b3JnLykuIgorICogICAgQWx0ZXJuYXRlbHksIHRoaXMgYWNrbm93bGVkZ21lbnQgbWF5IGFw cGVhciBpbiB0aGUgc29mdHdhcmUgaXRzZWxmLAorICogICAgaWYgYW5kIHdoZXJldmVyIHN1 Y2ggdGhpcmQtcGFydHkgYWNrbm93bGVkZ21lbnRzIG5vcm1hbGx5IGFwcGVhci4KKyAqCisg KiA0LiBUaGUgbmFtZXMgIkFwYWNoZSIgYW5kICJBcGFjaGUgU29mdHdhcmUgRm91bmRhdGlv biIgbXVzdAorICogICAgbm90IGJlIHVzZWQgdG8gZW5kb3JzZSBvciBwcm9tb3RlIHByb2R1 Y3RzIGRlcml2ZWQgZnJvbSB0aGlzCisgKiAgICBzb2Z0d2FyZSB3aXRob3V0IHByaW9yIHdy aXR0ZW4gcGVybWlzc2lvbi4gRm9yIHdyaXR0ZW4KKyAqICAgIHBlcm1pc3Npb24sIHBsZWFz ZSBjb250YWN0IGFwYWNoZUBhcGFjaGUub3JnLgorICoKKyAqIDUuIFByb2R1Y3RzIGRlcml2 ZWQgZnJvbSB0aGlzIHNvZnR3YXJlIG1heSBub3QgYmUgY2FsbGVkICJBcGFjaGUiLAorICog ICAgbm9yIG1heSAiQXBhY2hlIiBhcHBlYXIgaW4gdGhlaXIgbmFtZSwgd2l0aG91dCBwcmlv ciB3cml0dGVuCisgKiAgICBwZXJtaXNzaW9uIG9mIHRoZSBBcGFjaGUgU29mdHdhcmUgRm91 bmRhdGlvbi4KKyAqCisgKiBUSElTIFNPRlRXQVJFIElTIFBST1ZJREVEIGBgQVMgSVMnJyBB TkQgQU5ZIEVYUFJFU1NFRCBPUiBJTVBMSUVECisgKiBXQVJSQU5USUVTLCBJTkNMVURJTkcs IEJVVCBOT1QgTElNSVRFRCBUTywgVEhFIElNUExJRUQgV0FSUkFOVElFUworICogT0YgTUVS Q0hBTlRBQklMSVRZIEFORCBGSVRORVNTIEZPUiBBIFBBUlRJQ1VMQVIgUFVSUE9TRSBBUkUK KyAqIERJU0NMQUlNRUQuICBJTiBOTyBFVkVOVCBTSEFMTCBUSEUgQVBBQ0hFIFNPRlRXQVJF IEZPVU5EQVRJT04gT1IKKyAqIElUUyBDT05UUklCVVRPUlMgQkUgTElBQkxFIEZPUiBBTlkg RElSRUNULCBJTkRJUkVDVCwgSU5DSURFTlRBTCwKKyAqIFNQRUNJQUwsIEVYRU1QTEFSWSwg T1IgQ09OU0VRVUVOVElBTCBEQU1BR0VTIChJTkNMVURJTkcsIEJVVCBOT1QKKyAqIExJTUlU RUQgVE8sIFBST0NVUkVNRU5UIE9GIFNVQlNUSVRVVEUgR09PRFMgT1IgU0VSVklDRVM7IExP U1MgT0YKKyAqIFVTRSwgREFUQSwgT1IgUFJPRklUUzsgT1IgQlVTSU5FU1MgSU5URVJSVVBU SU9OKSBIT1dFVkVSIENBVVNFRCBBTkQKKyAqIE9OIEFOWSBUSEVPUlkgT0YgTElBQklMSVRZ LCBXSEVUSEVSIElOIENPTlRSQUNULCBTVFJJQ1QgTElBQklMSVRZLAorICogT1IgVE9SVCAo SU5DTFVESU5HIE5FR0xJR0VOQ0UgT1IgT1RIRVJXSVNFKSBBUklTSU5HIElOIEFOWSBXQVkg T1VUCisgKiBPRiBUSEUgVVNFIE9GIFRISVMgU09GVFdBUkUsIEVWRU4gSUYgQURWSVNFRCBP RiBUSEUgUE9TU0lCSUxJVFkgT0YKKyAqIFNVQ0ggREFNQUdFLgorICogPT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT0KKyAqCisgKiBUaGlzIHNvZnR3YXJlIGNvbnNpc3RzIG9mIHZvbHVudGFyeSBjb250cmli dXRpb25zIG1hZGUgYnkgbWFueQorICogaW5kaXZpZHVhbHMgb24gYmVoYWxmIG9mIHRoZSBB cGFjaGUgU29mdHdhcmUgRm91bmRhdGlvbi4gIEZvciBtb3JlCisgKiBpbmZvcm1hdGlvbiBv biB0aGUgQXBhY2hlIFNvZnR3YXJlIEZvdW5kYXRpb24sIHBsZWFzZSBzZWUKKyAqIDxodHRw Oi8vd3d3LmFwYWNoZS5vcmcvPi4KKyAqCisgKiBQb3J0aW9ucyBvZiB0aGlzIHNvZnR3YXJl IGFyZSBiYXNlZCB1cG9uIHB1YmxpYyBkb21haW4gc29mdHdhcmUKKyAqIG9yaWdpbmFsbHkg d3JpdHRlbiBhdCB0aGUgTmF0aW9uYWwgQ2VudGVyIGZvciBTdXBlcmNvbXB1dGluZyBBcHBs aWNhdGlvbnMsCisgKiBVbml2ZXJzaXR5IG9mIElsbGlub2lzLCBVcmJhbmEtQ2hhbXBhaWdu LgorICovCisKKyNpbmNsdWRlIDxvcy5oPgorI2luY2x1ZGUgImh0dHBkLmgiCisjaW5jbHVk ZSAiaHR0cF9sb2cuaCIKKworCitBUElfRVhQT1JUKGNoYXIgKikgYXBfb3NfY2Fub25pY2Fs X2ZpbGVuYW1lKHBvb2wgKnBQb29sLCBjb25zdCBjaGFyICpzekZpbGUpCit7CisgICAgY2hh ciAqYnVmOworICAgIGNoYXIgYnVmMltNQVhfU1RSSU5HX0xFTl07CisgICAgaW50IHJjLCBs ZW47IAorICAgIGNoYXIgKnBvczsKKyAgICAKKyAgICBsZW4gPSBzdHJsZW4oc3pGaWxlKTsK KyAgICBidWYgPSBhcF9wc3RybmR1cChwUG9vbCwgc3pGaWxlLCBsZW4pOworCisgICAgLyog U3dpdGNoIGJhY2tzbGFzaGVzIHRvIGZvcndhcmQgKi8KKyAgICBmb3IgKHBvcz1idWY7ICpw b3M7IHBvcysrKQorICAgICAgICBpZiAoKnBvcyA9PSAnXFwnKQorICAgICAgICAgICAgKnBv cyA9ICcvJzsKKyAgICAKKyAgICByZXR1cm4gYXBfcHN0cmR1cChwUG9vbCwgYnVmKTsKK30K Kwo= --------------51B117E110954B0956A7085C--