This is in response to a debian bug request; basically it just tightens up
the list of allowed characters, so we don't include .dotfiles and backups
etc.
Thoughts?
-Thom
Index: server/config.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/server/config.c,v
retrieving revision 1.156
diff -u -r1.156 config.c
--- server/config.c 12 Sep 2002 20:04:07 -0000 1.156
+++ server/config.c 21 Nov 2002 01:58:06 -0000
@@ -76,6 +76,7 @@
#include "apr_portable.h"
#include "apr_file_io.h"
#include "apr_fnmatch.h"
+#include "apr_lib.h"
#define APR_WANT_STDIO
#define APR_WANT_STRFUNC
@@ -1434,6 +1435,20 @@
return strcmp(f1->fname,f2->fname);
}
+static int fname_valid(const char *fname)
+{
+ const char *c = fname;
+ if (!apr_isalnum(*c))
+ return 0;
+ ++c;
+ while (*c) {
+ if(!apr_isalnum(*c) && *c!='_' && *c!='-' && *c!='.')
+ return 0;
+ ++c;
+ }
+ return 1;
+}
+
AP_DECLARE(void) ap_process_resource_config(server_rec *s, const char *fname,
ap_directive_t **conftree,
apr_pool_t *p,
@@ -1510,7 +1525,8 @@
&& strcmp(dirent.name, "..")
&& (!ispatt ||
apr_fnmatch(pattern, dirent.name,
- FNM_PERIOD) == APR_SUCCESS)) {
+ FNM_PERIOD) == APR_SUCCESS)
+ && fname_valid(dirent.name)) {
fnew = (fnames *) apr_array_push(candidates);
fnew->fname = ap_make_full_path(p, path, dirent.name);
}
