httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert L Mathews <>
Subject Is SymlinksIfOwnerMatch checked correctly in request.c?
Date Fri, 23 Sep 2005 01:03:59 GMT
While looking at request.c, I noticed some code that doesn't make sense 
to me, although it's quite possible that I am just being an idiot. From 
2.0.54 request.c:

   /* OPT_SYM_OWNER only works if we can get the owner of
    * both the file and symlink.  First fill in a missing
    * owner of the symlink, then get the info of the target.
   if (!(lfi->valid & APR_FINFO_OWNER)) {
       if ((res = apr_lstat(&fi, d, lfi->valid | APR_FINFO_OWNER, p))
           != APR_SUCCESS) {
           return HTTP_FORBIDDEN;

   if ((res = apr_stat(&fi, d, lfi->valid & ~(APR_FINFO_NAME), p))
       != APR_SUCCESS) {
       return HTTP_FORBIDDEN;

   if (apr_compare_users(fi.user, lfi->user) != APR_SUCCESS) {
       return HTTP_FORBIDDEN;

It appears to me that the apr_lstat and apr_stat calls are supposed to 
set lfi->user and fi.user, respectively, so they can be compared. 
However, it looks like they're both operating on &fi, meaning that 
lfi->user doesn't get set.

Shouldn't the first one operate on lfi, like so:

       if ((res = apr_lstat(lfi, d, lfi->valid | APR_FINFO_OWNER, p))

Otherwise, it seems that lfi->user could be random junk, leading to a 
very likely false HTTP_FORBIDDEN result (and the small possibility of an 
erroneous OK result).

Or am I just confused?

Robert L Mathews, Tiger Technologies

View raw message