Hello David
The proposed patch will go into the file compat_win32.c, in function
protect_against_code_disclosure(),
therefore it will not affect shttpd in non-windows environments.
Best regards
Rudi Farkas
On Thu, Sep 25, 2008 at 6:49 AM, David Lethe <[EMAIL PROTECTED]> wrote:
> >From: Sergey Lyubka [mailto:[EMAIL PROTECTED]
> >Sent: Wednesday, September 24, 2008 7:09 AM
> >To: Rudi Farkas
> >Cc: [email protected]
> >Subject: Re: [shttpd-general] shttpd : Error 500,problem with
> case-insensitive file names on Windows
> >
> >cool, thanks. to be patched in
> >On Tue, Sep 23, 2008 at 9:52 PM, Rudi Farkas <[EMAIL PROTECTED]>
> wrote:
> >How to reproduce (shttpd on WinXP or similar):
> >1. in the shttpd root directory, create a file named NoName.html,
> containing some text
> >2. from a browser on the same computer, ask for
> http://localhost/NoName.html - this will work
> >3. from a browser on the same computer, ask for
> http://localhost/noname.html - this will return Error 500 >System Error
> >With shttpd running on a unixy computer, I presume that setp 3 will
> produce an Error 404 Not Found.
> >
> >I work with shttpd 1.39, but the behavior will be same with 1.42, from
> looking at file diffs.
> >
> >Diagnostic (for step 3):
> >1. decide_what_to_do() calls get_path_info() -> my_stat() -> _wstat()
> which succeeds, being case-insensitive
> >2. decide_what_to_do() calls my_open() ->
> protect_against_code_disclosure() -> strcmp() which now compares
> >data.cFileName == "Noname1.html" to p == "noname1.html" and fails
> >3. decide_what_to_do() calls send_server_error(c, 500, "Internal Error")
> >The proposed patch that fixes the problem is
> >
> >< strcmp(data.cFileName, p) != 0)
> >> strcmpi(data.cFileName, p) != 0)
> >
> >
> >Best regards
> >Rudi Farkas
>
> It is a small thing, but I mention it only because I've seen people burned
> by this. If you are using NFS in a Windows/*NIX environment, and make
> Windows case insensitive, then the patch will break if files are on a NFS
> mount.
>
> OS X has case issues as well, but that is a whole other can o' worms.
> Arguably, the better solution would be to add a conditional compile for both
> Windows & Mac, and you'll only please 50% of the people no matter what you
> set for default ;)
>
> I suggest documenting this link that contains info on how to modify
> registry settings so you get full control of how windows handles
> case-sensitivity for NTFS, FAT, and CDFS shared files. The link is:
> http://support.microsoft.com/kb/276015
>
> Regards,
> David
>
>
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
shttpd-general mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shttpd-general
