> -----Original Message-----
> From: William A. Rowe Jr. [mailto:wr...@rowe-clan.net]
> Sent: maandag 5 juli 2010 22:35
> To: dev@apr.apache.org
> Subject: Re: [Patch] apr_filepath_merge() on "c:path" fails
> consistently on Windows if the current directory is "c:/windows"
> instead of "C:/Windows"
>
> This patch isn't valid.
>
> Other applications will play games with comparisons. Comparisons
> require
> users to call TRUEPATH. What seems to be needed here is for
> apr_pathname_cwd
> to be returning a true path.
>
> All other comparisons are intrinsically invalid, and this has the
> potential
> to introduce security issues in other applications which rely on
> comparing
> path names.
Too bad, that without this patch you can't call the truepath support on a
merged path and that Windows has 26 (or 27) current directories while APR
assumes that there is only one.
The assumption on the upper case drive letters is applied before all the other
checks, so you don't get to fetching a true path.
And even if you would use the truepath support to normalize a path, that
doesn't normalize the drive letter casing. It just returns what you feed it.
All the security problems you mention are valid when applied to the directory
parts of a path, but can never happen on just the drive letter and this patch
only changes the drive letter check.
Bert
