Re: [SECURITY-PATCH] cygwin: Apache 1.3.29 and below directory traversal vulnerability
Stipe Tolj wrote: > > Hi Roy, > > "Roy T. Fielding" wrote > > > > -1. Reject the request with a 400 error instead. > > actually a standard (apache layout) install (from source) on a linux > box with the URI described in the bug report gives also a 404, and > *not* a 400 in response. > > So we get the same behaviour on cygwin as on linux?! Why is the > behaviour on cygwin then "more wrong"? which does not mean that I'm veto'ing the -1 in terms of HTTP response code semantics. That's ok for me and actually I would be +1 for responding 400 to a "non-valid, abussing" URI. But just to mention that the linux install did the same. So either we should have it changed generically, but not specifically for cygwin IMO. Stipe mailto:[EMAIL PROTECTED] --- Wapme Systems AG Münsterstr. 248 40470 Düsseldorf, NRW, Germany phone: +49.211.74845.0 fax: +49.211.74845.299 mailto:[EMAIL PROTECTED] http://www.wapme-systems.de/ --- -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v1.2.2 (Cygwin) mIsEP6mcYwEEAMDnUiUwrbb+xwTFWN6TxF2+XZu7/alwJMeCwMBRvXtPZqfjpPhS OkBpU0F4TrVuugz1HINTSaJTYq10AzDQXp5NkyWgckqW79nPAWuOX0dicbJk+cN2 nM2TI4KaxUDe6u8hghNEnH/i2lXsUu9apnP/iixzV81VC2je3uc9hZpnAAYptEVT dGlwZSBUb2xqIChUZWNobm9sb2d5IENlbnRlciAmIFJlc2VhcmNoIExhYikgPHRv bGpAd2FwbWUtc3lzdGVtcy5kZT6ItAQTAQIAHgUCP6mcYwIbAwYLCQgHAwIDFQID AxYCAQIeAQIXgAAKCRABV0w1BqPYRuSqA/wPzsQxao2YePENCtgRTrO86U6zg3sl OcS6CJFI4FZP5h/xD3GRsNH1+MPSvZlomDdpFnr547DGz/Kq9MXuQwVvlVig5yWZ K5dtKp1r5YLhxJQBhfirZbRFFnYmf19f18J8OoS28tuFVftDl1AIwJS3HLyBTv6H g2HyLAEKQIp30Q== =aYCI -END PGP PUBLIC KEY BLOCK-
Re: [SECURITY-PATCH] cygwin: Apache 1.3.29 and below directory traversal vulnerability
"William A. Rowe, Jr." wrote: > > At 05:45 PM 2/4/2004, Roy T. Fielding wrote: > >-1. Reject the request with a 400 error instead. > > ++1 to Roy's suggestion. > > I believe that Win32 may accept the back slash (with the changes proposed > for the cygwin port.) However ... here's the trick ... the cygwin httpd port > is emulating Unix, so it should behave as a unix port. which means actually what? ... I didn't get the point. Maybe it's too late here... ;) Stipe mailto:[EMAIL PROTECTED] --- Wapme Systems AG Münsterstr. 248 40470 Düsseldorf, NRW, Germany phone: +49.211.74845.0 fax: +49.211.74845.299 mailto:[EMAIL PROTECTED] http://www.wapme-systems.de/ --- -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v1.2.2 (Cygwin) mIsEP6mcYwEEAMDnUiUwrbb+xwTFWN6TxF2+XZu7/alwJMeCwMBRvXtPZqfjpPhS OkBpU0F4TrVuugz1HINTSaJTYq10AzDQXp5NkyWgckqW79nPAWuOX0dicbJk+cN2 nM2TI4KaxUDe6u8hghNEnH/i2lXsUu9apnP/iixzV81VC2je3uc9hZpnAAYptEVT dGlwZSBUb2xqIChUZWNobm9sb2d5IENlbnRlciAmIFJlc2VhcmNoIExhYikgPHRv bGpAd2FwbWUtc3lzdGVtcy5kZT6ItAQTAQIAHgUCP6mcYwIbAwYLCQgHAwIDFQID AxYCAQIeAQIXgAAKCRABV0w1BqPYRuSqA/wPzsQxao2YePENCtgRTrO86U6zg3sl OcS6CJFI4FZP5h/xD3GRsNH1+MPSvZlomDdpFnr547DGz/Kq9MXuQwVvlVig5yWZ K5dtKp1r5YLhxJQBhfirZbRFFnYmf19f18J8OoS28tuFVftDl1AIwJS3HLyBTv6H g2HyLAEKQIp30Q== =aYCI -END PGP PUBLIC KEY BLOCK-
Re: [SECURITY-PATCH] cygwin: Apache 1.3.29 and below directory traversal vulnerability
Hi Roy, "Roy T. Fielding" wrote > > -1. Reject the request with a 400 error instead. actually a standard (apache layout) install (from source) on a linux box with the URI described in the bug report gives also a 404, and *not* a 400 in response. So we get the same behaviour on cygwin as on linux?! Why is the behaviour on cygwin then "more wrong"? Stipe mailto:[EMAIL PROTECTED] --- Wapme Systems AG Münsterstr. 248 40470 Düsseldorf, NRW, Germany phone: +49.211.74845.0 fax: +49.211.74845.299 mailto:[EMAIL PROTECTED] http://www.wapme-systems.de/ --- -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v1.2.2 (Cygwin) mIsEP6mcYwEEAMDnUiUwrbb+xwTFWN6TxF2+XZu7/alwJMeCwMBRvXtPZqfjpPhS OkBpU0F4TrVuugz1HINTSaJTYq10AzDQXp5NkyWgckqW79nPAWuOX0dicbJk+cN2 nM2TI4KaxUDe6u8hghNEnH/i2lXsUu9apnP/iixzV81VC2je3uc9hZpnAAYptEVT dGlwZSBUb2xqIChUZWNobm9sb2d5IENlbnRlciAmIFJlc2VhcmNoIExhYikgPHRv bGpAd2FwbWUtc3lzdGVtcy5kZT6ItAQTAQIAHgUCP6mcYwIbAwYLCQgHAwIDFQID AxYCAQIeAQIXgAAKCRABV0w1BqPYRuSqA/wPzsQxao2YePENCtgRTrO86U6zg3sl OcS6CJFI4FZP5h/xD3GRsNH1+MPSvZlomDdpFnr547DGz/Kq9MXuQwVvlVig5yWZ K5dtKp1r5YLhxJQBhfirZbRFFnYmf19f18J8OoS28tuFVftDl1AIwJS3HLyBTv6H g2HyLAEKQIp30Q== =aYCI -END PGP PUBLIC KEY BLOCK-
Re: [SECURITY-PATCH] cygwin: Apache 1.3.29 and below directory traversal vulnerability
At 05:45 PM 2/4/2004, Roy T. Fielding wrote: >-1. Reject the request with a 400 error instead. ++1 to Roy's suggestion. I believe that Win32 may accept the back slash (with the changes proposed for the cygwin port.) However ... here's the trick ... the cygwin httpd port is emulating Unix, so it should behave as a unix port. Bill
Re: [SECURITY-PATCH] cygwin: Apache 1.3.29 and below directory traversal vulnerability
-1. Reject the request with a 400 error instead. Roy
Re: [SECURITY-PATCH] cygwin: Apache 1.3.29 and below directory traversal vulnerability
On Wed, Feb 04, 2004 at 05:48:48PM +0100, Stipe Tolj wrote: > Hi list, > > attached patch fixes the bug# 26152 as described in > http://nagoya.apache.org/bugzilla/show_bug.cgi?id=26152 > > Main purpose was to handle backslashes in the URI to avoid misleading > interpretation via the underlying cygwin OS layer, which allows > backslashes as directory delimiters. > > Therefore src/os/cygwin/util_cygwin.c implements it's own > ap_os_canonical_filename() routine to map backslashes to slashes and > relly on the afterlying directory_walk() and file_walk() security > mechanisms. Thanks (but please send the diffs in a registered plaintext format, e.g. text/plain, not application/x-unknown-content-type-diff_auto_file) +API_EXPORT(char *) ap_os_canonical_filename(pool *pPool, const char *szFile) +{ +char *buf; +char buf2[MAX_STRING_LEN]; +int rc, len; +char *pos; + +len = strlen(szFile); +buf = ap_pstrndup(pPool, szFile, len); + +/* Switch backslashes to forward */ +for (pos=buf; *pos; pos++) +if (*pos == '\\') +*pos = '/'; + +return ap_pstrdup(pPool, buf); IMO this additional dupping is not needed; just "return buf;" +} Martin -- <[EMAIL PROTECTED]> | Fujitsu Siemens Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730 Munich, Germany
[SECURITY-PATCH] cygwin: Apache 1.3.29 and below directory traversal vulnerability
Hi list, attached patch fixes the bug# 26152 as described in http://nagoya.apache.org/bugzilla/show_bug.cgi?id=26152 Main purpose was to handle backslashes in the URI to avoid misleading interpretation via the underlying cygwin OS layer, which allows backslashes as directory delimiters. Therefore src/os/cygwin/util_cygwin.c implements it's own ap_os_canonical_filename() routine to map backslashes to slashes and relly on the afterlying directory_walk() and file_walk() security mechanisms. Please review and apply to cvs. I will update the binary apache 1.3.29-x distribution package for the cygwin net distribution with this fix. Stipe mailto:[EMAIL PROTECTED] --- Wapme Systems AG Münsterstr. 248 40470 Düsseldorf, NRW, Germany phone: +49.211.74845.0 fax: +49.211.74845.299 mailto:[EMAIL PROTECTED] http://www.wapme-systems.de/ --- -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v1.2.2 (Cygwin) mIsEP6mcYwEEAMDnUiUwrbb+xwTFWN6TxF2+XZu7/alwJMeCwMBRvXtPZqfjpPhS OkBpU0F4TrVuugz1HINTSaJTYq10AzDQXp5NkyWgckqW79nPAWuOX0dicbJk+cN2 nM2TI4KaxUDe6u8hghNEnH/i2lXsUu9apnP/iixzV81VC2je3uc9hZpnAAYptEVT dGlwZSBUb2xqIChUZWNobm9sb2d5IENlbnRlciAmIFJlc2VhcmNoIExhYikgPHRv bGpAd2FwbWUtc3lzdGVtcy5kZT6ItAQTAQIAHgUCP6mcYwIbAwYLCQgHAwIDFQID AxYCAQIeAQIXgAAKCRABV0w1BqPYRuSqA/wPzsQxao2YePENCtgRTrO86U6zg3sl OcS6CJFI4FZP5h/xD3GRsNH1+MPSvZlomDdpFnr547DGz/Kq9MXuQwVvlVig5yWZ K5dtKp1r5YLhxJQBhfirZbRFFnYmf19f18J8OoS28tuFVftDl1AIwJS3HLyBTv6H g2HyLAEKQIp30Q== =aYCI -END PGP PUBLIC KEY BLOCK- apache_1.3.29-cygwin-bug-26152.diff Description: application/unknown-content-type-diff_auto_file