cvs commit: apache-1.3/src/modules/standard mod_userdir.c

14 Feb 1998 03:27:01 -0000 

dgaudet     98/02/13 19:26:59

  Modified:    src      CHANGES
               src/modules/standard mod_userdir.c
  Log:
  Fix security hole with "UserDir /a/b" without a * in the path... you
  could request /~../ and get /a.
  
  (djg: I also did a few touches of cleanup.)
  
  PR:           1701
  Submitted by: Lauri Jesmin <[EMAIL PROTECTED]>
  Reviewed by:  Marc Slemko, Dean Gaudet
  
  Revision  Changes    Path
  1.629     +5 -0      apache-1.3/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /export/home/cvs/apache-1.3/src/CHANGES,v
  retrieving revision 1.628
  retrieving revision 1.629
  diff -u -r1.628 -r1.629
  --- CHANGES   1998/02/14 03:07:53     1.628
  +++ CHANGES   1998/02/14 03:26:56     1.629
  @@ -1,5 +1,10 @@
   Changes with Apache 1.3b6
   
  +  *) SECURITY: "UserDir /abspath" without a * in the path would allow
  +     remote users to access "/~.." and bypass access restrictions
  +     (but note /~../.. was handled properly).
  +     [Lauri Jesmin <[EMAIL PROTECTED]>] PR#1701
  +
     *) os_is_path_absolute() now takes a const char * instead of a char *.
        [Dean Gaudet]
   
  
  
  
  1.28      +6 -10     apache-1.3/src/modules/standard/mod_userdir.c
  
  Index: mod_userdir.c
  ===================================================================
  RCS file: /export/home/cvs/apache-1.3/src/modules/standard/mod_userdir.c,v
  retrieving revision 1.27
  retrieving revision 1.28
  diff -u -r1.27 -r1.28
  --- mod_userdir.c     1998/02/03 08:52:52     1.27
  +++ mod_userdir.c     1998/02/14 03:26:58     1.28
  @@ -226,9 +226,9 @@
       }
   
       /*
  -     * If there's no username, it's not for us.
  +     * If there's no username, it's not for us.  Ignore . and .. as well.
        */
  -    if (!strcmp(w, "")) {
  +    if (w[0] == '\0' || (w[1] == '.' && (w[2] == '\0' || (w[2] == '.' && 
w[3] == '\0')))) {
           return DECLINED;
       }
       /*
  @@ -259,12 +259,7 @@
           if (strchr(userdir, '*'))
               x = getword(r->pool, &userdir, '*');
   
  -#if defined(__EMX__) || defined(WIN32)
  -        /* Add support for OS/2 drive letters */
  -        if ((userdir[0] == '/') || (userdir[1] == ':') || (userdir[0] == 
'\0')) {
  -#else
  -        if ((userdir[0] == '/') || (userdir[0] == '\0')) {
  -#endif
  +     if (userdir[0] == '\0' || os_is_path_absolute(userdir)) {
               if (x) {
   #ifdef WIN32
                   /*
  @@ -273,10 +268,11 @@
                    * know of no protocols that are a single letter, if the : is
                    * the second character, I will assume a file was specified
                    */
  -                if (strchr(x + 2, ':')) {
  +                if (strchr(x + 2, ':'))
   #else
  -                if (strchr(x, ':')) {
  +                if (strchr(x, ':'))
   #endif                          /* WIN32 */
  +             {
                       redirect = pstrcat(r->pool, x, w, userdir, dname, NULL);
                       table_setn(r->headers_out, "Location", redirect);
                       return REDIRECT;

Reply via email to