Robert L Mathews wrote:
Shouldn't the first one operate on lfi, like so:if ((res = apr_lstat(lfi, d, lfi->valid | APR_FINFO_OWNER, p))
yes...
Otherwise, it seems that lfi->user could be random junk, leading to a very likely false HTTP_FORBIDDEN result (and the small possibility of an erroneous OK result).
in practice it's almost ever called, most platforms targeting apache do automatically fill in FINFO_OWNER. Only on oddballs, like win32, will you get a 'basic' stat, and in that case we re-query for the owner. Most of the time, lfi was filled in before we hit this code. Good catch though!
