Module Name: src Committed By: leot Date: Sat Dec 15 12:39:22 UTC 2018
Modified Files: src/libexec/httpd: bozohttpd.c Log Message: Avoid .htpasswd exposure to authenticated users when .htpasswd is in the slashdir too. Problem reported by JP via tech-security@ and discussed with <mrg>, thanks! To generate a diff of this commit: cvs rdiff -u -r1.104 -r1.105 src/libexec/httpd/bozohttpd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/libexec/httpd/bozohttpd.c diff -u src/libexec/httpd/bozohttpd.c:1.104 src/libexec/httpd/bozohttpd.c:1.105 --- src/libexec/httpd/bozohttpd.c:1.104 Sat Dec 15 09:28:27 2018 +++ src/libexec/httpd/bozohttpd.c Sat Dec 15 12:39:22 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: bozohttpd.c,v 1.104 2018/12/15 09:28:27 leot Exp $ */ +/* $NetBSD: bozohttpd.c,v 1.105 2018/12/15 12:39:22 leot Exp $ */ /* $eterna: bozohttpd.c,v 1.178 2011/11/18 09:21:15 mrg Exp $ */ @@ -1467,7 +1467,7 @@ check_bzredirect(bozo_httpreq_t *request } else if (basename == NULL) { strcpy(path, "."); strcpy(dir, ""); - basename = dir; + basename = request->hr_file + 1; } else { *basename++ = '\0'; strcpy(path, dir);