httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: Improper string concatenation in mod_alias allows code execution out of bounds defined in apache config file.
Date Mon, 08 Feb 2016 17:32:58 GMT
On Mon, Feb 8, 2016 at 11:21 AM, William A Rowe Jr <wrowe@rowe-clan.net>
wrote:

> I think my text below should have stated;
>
> Note that unexpected expansion occurs when trailing slashes are
> not balanced between the source url and target path.  For example,
> Alias / /usr/share/htdocs
> will resolve http://example.com/-private/ as /usr/share/htdocs-private/
> while
> Alias /content/ /usr/share/htdocs
> will similarly result in the the URL /content/-private/ resolving to the
> path /usr/share/htdocs-private/
>
> The statement could use some word-smithing.
>

An actual use-case that may exist in the wild would like;

Alias /user/ /path/to/users-

where

http://example.com/user/wrowe/ would map to /path/to/users-wrowe

Or some similar scenario to map to .../webapp-wrowe.  Lots of possible
but rare applications.

If we were to lock this behavior down with warnings, we might want
to introduce a run-immediate directive "AliasWarnConcatenation off"
that allows the "wiser" administrator to go without our stern warnings.

Mime
View raw message