Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7FDF418671 for ; Mon, 8 Feb 2016 17:33:06 +0000 (UTC) Received: (qmail 38312 invoked by uid 500); 8 Feb 2016 17:33:00 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 38113 invoked by uid 500); 8 Feb 2016 17:33:00 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 37962 invoked by uid 99); 8 Feb 2016 17:33:00 -0000 Received: from Unknown (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 08 Feb 2016 17:33:00 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 6CD5AC060A for ; Mon, 8 Feb 2016 17:33:00 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.298 X-Spam-Level: * X-Spam-Status: No, score=1.298 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=rowe-clan-net.20150623.gappssmtp.com Received: from mx1-us-east.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id MPoj5DY66Xal for ; Mon, 8 Feb 2016 17:32:59 +0000 (UTC) Received: from mail-io0-f173.google.com (mail-io0-f173.google.com [209.85.223.173]) by mx1-us-east.apache.org (ASF Mail Server at mx1-us-east.apache.org) with ESMTPS id 4769A439BF for ; Mon, 8 Feb 2016 17:32:59 +0000 (UTC) Received: by mail-io0-f173.google.com with SMTP id d63so202712345ioj.2 for ; Mon, 08 Feb 2016 09:32:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rowe-clan-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=EveXisMf4SRFsDbFfhfxpRTosZsBBUMCHMFU9gZjXpQ=; b=BLrgzFn7a3Q6P2DVXV847tPWM652QtOiuQus70w+AvoS2gjH+XIO7hs9gvNUrvs89h GhFG3nAlYadt/6s8OyNOVHk2yXW51ZQahvfloVmNxOqvWNHwEgxyuhFELL4O9Q0zQFgx 8rZDpqL6ZZztoXRPPCmE1A4GQh4NAHYtch17wYkKSQkpWeQNw8ntooZq2bzN8d5b7K9k eMexk82Ck4zJkHXkmJeL9UnAxj+uT9JKk6gPY1JNbUQDLtT/GEBMyaZwCw0vmgv0YGOk f2rowqH6/rTiVKcDBSk2Ov4g0YlsmgyR4bQsA5jfVYWhIllEe+GbBL4Gga1ASHSWJ4gy DtKw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=EveXisMf4SRFsDbFfhfxpRTosZsBBUMCHMFU9gZjXpQ=; b=RuABapcJXq2PiNykLoQx/lXlVBnKtAZrSMrScZLP6yn4nIoh7c5yZhdZApwcMEjGja fQ2ogAvE26dIIPOiHbyL2Zy5lwT+bvulvZprpzkZevt7mKWa8IMkWkfIWKFAyqB/MPds miFdRgOzxxb3mV0pLl+YbDxj8YpaVaU1qqqK4GFtKnFUF9U7fkweHcY55sfO979Y8rTA trzH82DHBlVst2HXapWmDSSJOHlJur41CJMP2GVxnlSC2KmJMT1CSAeuurthzjhN79vI 9S/lUoORokgJUu1s1PS6/1CvNPKJdFMCc5Fk55h2dblPV0rn6+Qt6qKN82Xf+eKhC2X7 cx+g== X-Gm-Message-State: AG10YOQFJfIzNE0w1cUAgKD8m4sA28eJLfw1NrFunjKI0D8ogHK/L5ztfmw+agCT4skX8Y8v0ZSA4hFLlzJN1Fqv MIME-Version: 1.0 X-Received: by 10.107.28.82 with SMTP id c79mr26985044ioc.86.1454952778890; Mon, 08 Feb 2016 09:32:58 -0800 (PST) Received: by 10.107.3.94 with HTTP; Mon, 8 Feb 2016 09:32:58 -0800 (PST) In-Reply-To: References: Date: Mon, 8 Feb 2016 11:32:58 -0600 Message-ID: Subject: Re: Improper string concatenation in mod_alias allows code execution out of bounds defined in apache config file. From: William A Rowe Jr To: docs@httpd.apache.org, httpd Content-Type: multipart/alternative; boundary=001a11409b988d1cb7052b459743 --001a11409b988d1cb7052b459743 Content-Type: text/plain; charset=UTF-8 On Mon, Feb 8, 2016 at 11:21 AM, William A Rowe Jr wrote: > I think my text below should have stated; > > Note that unexpected expansion occurs when trailing slashes are > not balanced between the source url and target path. For example, > Alias / /usr/share/htdocs > will resolve http://example.com/-private/ as /usr/share/htdocs-private/ > while > Alias /content/ /usr/share/htdocs > will similarly result in the the URL /content/-private/ resolving to the > path /usr/share/htdocs-private/ > > The statement could use some word-smithing. > An actual use-case that may exist in the wild would like; Alias /user/ /path/to/users- where http://example.com/user/wrowe/ would map to /path/to/users-wrowe Or some similar scenario to map to .../webapp-wrowe. Lots of possible but rare applications. If we were to lock this behavior down with warnings, we might want to introduce a run-immediate directive "AliasWarnConcatenation off" that allows the "wiser" administrator to go without our stern warnings. --001a11409b988d1cb7052b459743 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On M= on, Feb 8, 2016 at 11:21 AM, William A Rowe Jr <wrowe@rowe-clan.net&= gt; wrote:
<= div>
I think my text below should have stated;

Note that unexpected expansion occurs w= hen trailing slashes=C2=A0are=C2= =A0
not balanced betwee= n the source url and target path.=C2=A0 For example,
Alias / /usr/share/htdocs
will resolve http://example.com/-private/ as /usr/shar= e/htdocs-private/
while= =C2=A0
Alias /content/ = /usr/share/htdocs
will similar= ly result in the the URL /content/-private/ resolving to the
path /usr/share/htdocs-private/

The statement could use some word-smithing.

An actual use-case that= may exist in the wild would like;

Alias /user/ /p= ath/to/users-

where=C2=A0

http://example.com/user/wrowe/<= /a> would map to /path/to/users-wrowe


--001a11409b988d1cb7052b459743--