Return-Path: 
 <dev-return-47444-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: (qmail 27966 invoked from network); 4 Jun 2005 15:00:54 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 4 Jun 2005 15:00:54 -0000
Received: (qmail 89476 invoked by uid 500); 4 Jun 2005 15:00:48 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 89425 invoked by uid 500); 4 Jun 2005 15:00:47 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 89406 invoked by uid 99); 4 Jun 2005 15:00:47 -0000
X-ASF-Spam-Status: No, hits=0.0 required=10.0
	tests=
X-Spam-Check-By: apache.org
Received-SPF: pass (hermes.apache.org: local policy)
Received: from Unknown (HELO cortex.velox.ch) (84.73.59.97)
  by apache.org (qpsmtpd/0.28) with ESMTP; Sat, 04 Jun 2005 08:00:46 -0700
Message-ID: <08f301c56916$2852d000$9e374954@lux>
From: "Kaspar Brand" <dev-httpd@velox.ch>
To: <dev@httpd.apache.org>
Subject: [PATCH 2.0] PR 31302 suexec doesn't execute commands if they're not
 in the current dir
Date: Sat, 4 Jun 2005 17:00:33 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_08F0_01C56926.EBA7BEC0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2527
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
X-Virus-Checked: Checked
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N

This is a multi-part message in MIME format.

------=_NextPart_000_08F0_01C56926.EBA7BEC0
Content-Type: text/plain;
	format=flowed;
	charset="iso-8859-1";
	reply-type=original
Content-Transfer-Encoding: 7bit

At 08:47 PM 6/2/2005, Bill wrote:
> One more useful clue, keyword it PatchAvailable once you have
> a solution (attached) so that committers seeking low-hanging fruit
> can prune some off and close the bugs.

... this is what I was trying to do for PR 31302 (hoping that the fix would 
find its way into 2.0.54), but obviously my posting to the mailing list on 3 
April didn't catch anybody's attention... so I'm making a second attempt. 
Cf. also

   http://issues.apache.org/bugzilla/show_bug.cgi?id=31302

For the sake of completeness, I'm attaching the patch to this message (in 
the meantime, I realized that apr_pstrdup is not necessary at that point, 
actually the whole line can just be replaced by "cmdpath = parsed_string").

Comments welcome, of course - and looking forward to 2.0.55...

Kaspar 

------=_NextPart_000_08F0_01C56926.EBA7BEC0
Content-Type: application/octet-stream;
	name="mod_cgi-ssi_exec.patch"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="mod_cgi-ssi_exec.patch"

Index: mod_cgi.c=0A=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A=
--- mod_cgi.c	(revision 159030)=0A=
+++ mod_cgi.c	(working copy)=0A=
@@ -419,7 +419,7 @@=0A=
                                    e_info->err_pipe)) !=3D APR_SUCCESS) =
||=0A=
         ((rc =3D apr_procattr_dir_set(procattr, =0A=
                         ap_make_dirstr_parent(r->pool,=0A=
-                                              r->filename))) !=3D =
APR_SUCCESS) ||=0A=
+                                              command))) !=3D =
APR_SUCCESS) ||=0A=
 #ifdef RLIMIT_CPU=0A=
         ((rc =3D apr_procattr_limit_set(procattr, APR_LIMIT_CPU,=0A=
                                       conf->limit_cpu)) !=3D =
APR_SUCCESS) ||=0A=
@@ -1124,6 +1124,8 @@=0A=
     char *file =3D r->filename;=0A=
     apr_bucket  *tmp_buck;=0A=
     char parsed_string[MAX_STRING_LEN];=0A=
+    char *cmdpath =3D NULL;=0A=
+    apr_status_t rv;=0A=
 =0A=
     *inserted_head =3D NULL;=0A=
     if (ctx->flags & FLAG_PRINTING) {=0A=
@@ -1146,7 +1148,22 @@=0A=
                 if (!strcmp(tag, "cmd")) {=0A=
                     cgi_pfn_ps(r, ctx, tag_val, parsed_string,=0A=
                                sizeof(parsed_string), 1);=0A=
-                    if (include_cmd(ctx, bb, parsed_string, r, f) =
=3D=3D -1) {=0A=
+                    if (ap_os_is_path_absolute(r->pool, parsed_string)) =
{=0A=
+                        cmdpath =3D apr_pstrdup(r->pool, parsed_string);=0A=
+                    }=0A=
+                    else {=0A=
+                        if ((rv =3D apr_filepath_merge(&cmdpath,=0A=
+                                  ap_make_dirstr_parent(r->pool, =
r->filename),=0A=
+                                  parsed_string, =
APR_FILEPATH_NOTRELATIVE,=0A=
+                                  r->pool)) !=3D APR_SUCCESS) {=0A=
+                            ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,=0A=
+                                          "could not determine absolute =
"=0A=
+                                          "pathname for %s", =
parsed_string);=0A=
+                            CREATE_ERROR_BUCKET(ctx, tmp_buck, head_ptr,=0A=
+                                                *inserted_head);=0A=
+                        }=0A=
+                    }=0A=
+                    if (include_cmd(ctx, bb, cmdpath, r, f) =3D=3D -1) {=0A=
                         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,=0A=
                                     "execution failure for parameter =
\"%s\" "=0A=
                                     "to tag exec in file %s", tag, =
r->filename);=0A=

------=_NextPart_000_08F0_01C56926.EBA7BEC0--