httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: Improper string concatenation in mod_alias allows code execution out of bounds defined in apache config file.
Date Mon, 08 Feb 2016 16:37:22 GMT
Thanks Eric, now looping back to
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/mappers/mod_alias.c?revision=153384&view=co
to see if this behavior was changed, by which commit, so that we ensure
the docs match the behavior and can determine what the "correct" behavior
was supposed to be in the first place :)





On Mon, Feb 8, 2016 at 10:26 AM, Eric Covener <covener@gmail.com> wrote:

> quite old: http://svn.apache.org/viewcvs?rev=326143&view=rev
>
> On Mon, Feb 8, 2016 at 11:25 AM, William A Rowe Jr <wrowe@rowe-clan.net>
> wrote:
> > On Mon, Feb 8, 2016 at 10:20 AM, William A Rowe Jr <wrowe@rowe-clan.net>
> > wrote:
> >>
> >>
> >> This is worthy of discussion on docs@httpd, so please allow me to cite
> >> your example... Your report does suggest that we might illustrate this
> alias
> >> effect more clearly in the docs, e.g. an example like this;
> >>
> >>   Note that unexpected expansion may occur when trailing slashes
> >>   are omitted, including the case of "Alias / /foo". Given the example;
> >>     Alias /icons /usr/share/icons
> >>   A request for /icons/small.gif is mapped to /usr/share/icons/small.gif
> >>   A request for /icons-private/small.gif is mapped to
> >> /usr/share/icons-private/small.gif
> >>   This behavior is by-design.
> >
> >
> > When did this get mis-stated at
> > http://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias, the
> information
> > seems most incorrect...
> >
> > Alias "/image" "/ftp/pub/image"
> >
> > A request for http://example.com/image/foo.gif would cause the server to
> > return the file /ftp/pub/image/foo.gif. Only complete path segments are
> > matched, so the above alias would not match a request for
> > http://example.com/imagefoo.gif.
> >
> >
> >
>
>
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
> For additional commands, e-mail: docs-help@httpd.apache.org
>
>

Mime
View raw message