This is in response to a debian bug request; basically it just tightens up the list of allowed characters, so we don't include .dotfiles and backups etc. Thoughts? -Thom
Index: server/config.c =================================================================== RCS file: /home/cvspublic/httpd-2.0/server/config.c,v retrieving revision 1.156 diff -u -r1.156 config.c --- server/config.c 12 Sep 2002 20:04:07 -0000 1.156 +++ server/config.c 21 Nov 2002 01:58:06 -0000 @@ -76,6 +76,7 @@ #include "apr_portable.h" #include "apr_file_io.h" #include "apr_fnmatch.h" +#include "apr_lib.h" #define APR_WANT_STDIO #define APR_WANT_STRFUNC @@ -1434,6 +1435,20 @@ return strcmp(f1->fname,f2->fname); } +static int fname_valid(const char *fname) +{ + const char *c = fname; + if (!apr_isalnum(*c)) + return 0; + ++c; + while (*c) { + if(!apr_isalnum(*c) && *c!='_' && *c!='-' && *c!='.') + return 0; + ++c; + } + return 1; +} + AP_DECLARE(void) ap_process_resource_config(server_rec *s, const char *fname, ap_directive_t **conftree, apr_pool_t *p, @@ -1510,7 +1525,8 @@ && strcmp(dirent.name, "..") && (!ispatt || apr_fnmatch(pattern, dirent.name, - FNM_PERIOD) == APR_SUCCESS)) { + FNM_PERIOD) == APR_SUCCESS) + && fname_valid(dirent.name)) { fnew = (fnames *) apr_array_push(candidates); fnew->fname = ap_make_full_path(p, path, dirent.name); }