On 7/5/2010 3:46 PM, Bert Huijben wrote: > > Too bad, that without this patch you can't call the truepath support on a > merged path and that Windows has 26 (or 27) current directories while APR > assumes that there is only one.
Hold up... are you trying to merge non-normalized paths? I need to have a good understanding to help resolve the underlying issue. > The assumption on the upper case drive letters is applied before all the > other checks, so you don't get to fetching a true path. I'll walk through this, but your conclusion sounds correct. > And even if you would use the truepath support to normalize a path, that > doesn't normalize the drive letter casing. It just returns what you feed it. That is a serious bug we should address, too, if it turns out that it is possible to have win32 return both upper and lower case strings without ever normalizing them. > All the security problems you mention are valid when applied to the directory > parts of a path, but can never happen on just the drive letter and this patch > only changes the drive letter check. As long as the user is lead to the conclusion that *they* are entitled to do a strcmp(), but our results are inconsistent, we open their code to a security issue.
