httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <>
Subject Re: Improper string concatenation in mod_alias allows code execution out of bounds defined in apache config file.
Date Mon, 08 Feb 2016 17:32:58 GMT
On Mon, Feb 8, 2016 at 11:21 AM, William A Rowe Jr <>

> I think my text below should have stated;
> Note that unexpected expansion occurs when trailing slashes are
> not balanced between the source url and target path.  For example,
> Alias / /usr/share/htdocs
> will resolve as /usr/share/htdocs-private/
> while
> Alias /content/ /usr/share/htdocs
> will similarly result in the the URL /content/-private/ resolving to the
> path /usr/share/htdocs-private/
> The statement could use some word-smithing.

An actual use-case that may exist in the wild would like;

Alias /user/ /path/to/users-

where would map to /path/to/users-wrowe

Or some similar scenario to map to .../webapp-wrowe.  Lots of possible
but rare applications.

If we were to lock this behavior down with warnings, we might want
to introduce a run-immediate directive "AliasWarnConcatenation off"
that allows the "wiser" administrator to go without our stern warnings.

View raw message