marc 98/01/05 12:46:13
Modified: src Tag: APACHE_1_2_X http_config.c
Log:
SECURITY: If a htaccess file can not be read due to bad permissions,
deny access to the directory with a HTTP_FORBIDDEN. The previous
behavior was to ignore the htaccess file if it could not be read.
This change may make some setups with unreadable htaccess files
stop working.
The previous lack of checking the return means that is some obscure
cases it may be possible to bypass a htaccess file if a full path
including the htaccess is too long (ie. > PATH_MAX) yet the path to
a file in the same directory isn't.
PR: 817
Reviewed by: Martin Kraemer, Mark J Cox, Dean Gaudet, Randy Terbush
Revision Changes Path
No revision
No revision
1.49.2.3 +10 -2 apache/src/http_config.c
Index: http_config.c
===================================================================
RCS file: /export/home/cvs/apache/src/http_config.c,v
retrieving revision 1.49.2.2
retrieving revision 1.49.2.3
diff -u -r1.49.2.2 -r1.49.2.3
--- http_config.c 1997/06/29 18:08:36 1.49.2.2
+++ http_config.c 1998/01/05 20:46:12 1.49.2.3
@@ -821,8 +821,16 @@
}
*result = dc;
- } else
- dc = NULL;
+ } else {
+ if (errno == ENOENT || errno == ENOTDIR)
+ dc = NULL;
+ else {
+ log_unixerr("pfopen", filename,
+ "unable to check htaccess file, ensure it is readable",
+ r->server);
+ return HTTP_FORBIDDEN;
+ }
+ }
/* cache it */
new = palloc(r->pool, sizeof(struct htaccess_result));
