dgaudet 98/02/13 19:39:20
Modified: src CHANGES mod_userdir.c
Log:
Deal with /~.. and lame UserDir /abspath.
PR: 1701
Submitted by: Lauri Jesmin <[EMAIL PROTECTED]>
Reviewed by: Dean Gaudet, Marc Slemko
Revision Changes Path
1.294 +5 -0 apache-1.2/src/CHANGES
Index: CHANGES
===================================================================
RCS file: /export/home/cvs/apache-1.2/src/CHANGES,v
retrieving revision 1.293
retrieving revision 1.294
diff -u -r1.293 -r1.294
--- CHANGES 1998/02/14 02:51:36 1.293
+++ CHANGES 1998/02/14 03:39:18 1.294
@@ -1,5 +1,10 @@
Changes with Apache 1.2.6
+ *) SECURITY: "UserDir /abspath" without a * in the path would allow
+ remote users to access "/~.." and bypass access restrictions
+ (but note /~../.. was handled properly).
+ [Lauri Jesmin <[EMAIL PROTECTED]>] PR#1701
+
*) mod_rewrite's RewriteLog should behave like mod_log_config, it
shouldn't force hostname lookups. [Dean Gaudet] PR#1684
1.16 +2 -1 apache-1.2/src/mod_userdir.c
Index: mod_userdir.c
===================================================================
RCS file: /export/home/cvs/apache-1.2/src/mod_userdir.c,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- mod_userdir.c 1998/01/30 09:14:10 1.15
+++ mod_userdir.c 1998/02/14 03:39:18 1.16
@@ -128,7 +128,8 @@
dname = name + 2;
w = getword(r->pool, &dname, '/');
- if (!strcmp(w, ""))
+ /* disallow the empty username, . and .. */
+ if (w[0] == '\0' || (w[1] == '.' && (w[2] == '\0' || (w[2] == '.' &&
w[3] == '\0'))))
return DECLINED;
/* The 'dname' funny business involves backing it up to capture
