cvs commit: apache/src CHANGES http_request.c
dgaudet 97/08/06 13:32:22 Modified:src CHANGES http_request.c Log: Fix another long-standing bug in sub_req_lookup_file where it would happily skip past access checks on subdirectories looked up with relative paths. (It's used by mod_dir, mod_negotiation, and mod_include.) Revision ChangesPath 1.388 +5 -0 apache/src/CHANGES Index: CHANGES === RCS file: /export/home/cvs/apache/src/CHANGES,v retrieving revision 1.387 retrieving revision 1.388 diff -u -r1.387 -r1.388 --- CHANGES 1997/08/06 20:21:19 1.387 +++ CHANGES 1997/08/06 20:32:18 1.388 @@ -1,5 +1,10 @@ Changes with Apache 1.3a2 + *) Fix another long-standing bug in sub_req_lookup_file where it would + happily skip past access checks on subdirectories looked up with + relative paths. (It's used by mod_dir, mod_negotiation, + and mod_include.) [Dean Gaudet] + *) directory_walk optimization to reduce an O(N*M) loop to O(N+M) where N is the number of Directory sections, and M is the number of components in the filename of an object. 1.71 +23 -14apache/src/http_request.c Index: http_request.c === RCS file: /export/home/cvs/apache/src/http_request.c,v retrieving revision 1.70 retrieving revision 1.71 diff -u -r1.70 -r1.71 --- http_request.c1997/08/06 20:21:25 1.70 +++ http_request.c1997/08/06 20:32:19 1.71 @@ -733,22 +733,31 @@ rnew-per_dir_config = r-per_dir_config; - if ((res = check_symlinks (rnew-filename, allow_options (rnew { - log_reason (Symbolic link not allowed, rnew-filename, rnew); - rnew-status = res; - return rnew; - } - /* do a file_walk, if it doesn't change the per_dir_config then - * we know that we don't have to redo all the access checks */ - if ((res = file_walk (rnew))) { - rnew-status = res; - return rnew; - } - if (rnew-per_dir_config == r-per_dir_config) { - if ((res = find_types (rnew)) || (res = run_fixups (rnew))) { + /* no matter what, if it's a subdirectory, we need to re-run + * directory_walk */ + if (S_ISDIR (rnew-finfo.st_mode)) { + res = directory_walk (rnew); + if (!res) { + res = file_walk (rnew); + } + } else { + if ((res = check_symlinks (rnew-filename, allow_options (rnew { + log_reason (Symbolic link not allowed, rnew-filename, rnew); + rnew-status = res; + return rnew; + } + /* do a file_walk, if it doesn't change the per_dir_config then + * we know that we don't have to redo all the access checks */ + if ((res = file_walk (rnew))) { rnew-status = res; + return rnew; + } + if (rnew-per_dir_config == r-per_dir_config) { + if ((res = find_types (rnew)) || (res = run_fixups (rnew))) { + rnew-status = res; + } + return rnew; } - return rnew; } } else { /* XXX: this should be set properly like it is in the same-dir case
cvs commit: apache/src CHANGES http_request.c
rse 97/08/02 08:52:14 Modified:src Tag: APACHE_1_2_X CHANGES http_request.c Log: Bugfix the case where multiple Directorys match and all are applied Submitted by: Dean Gaudet Reviewed by: Dean Gaudet, Ralf S. Engelschall, Randy Terbush Revision ChangesPath No revision No revision 1.286.2.39 +3 -0 apache/src/CHANGES Index: CHANGES === RCS file: /export/home/cvs/apache/src/CHANGES,v retrieving revision 1.286.2.38 retrieving revision 1.286.2.39 diff -u -r1.286.2.38 -r1.286.2.39 --- CHANGES 1997/08/01 08:48:16 1.286.2.38 +++ CHANGES 1997/08/02 15:52:11 1.286.2.39 @@ -1,5 +1,8 @@ Changes with Apache 1.2.2 + *) Bugfix for case where multiple Directorys match and all are applied. + [Dean Gaudet] + *) Fixed an infinite loop in mod_imap for references above the server root [Dean Gaudet] PR#748 1.50.2.6 +2 -1 apache/src/http_request.c Index: http_request.c === RCS file: /export/home/cvs/apache/src/http_request.c,v retrieving revision 1.50.2.5 retrieving revision 1.50.2.6 diff -u -r1.50.2.5 -r1.50.2.6 --- http_request.c1997/07/31 08:19:49 1.50.2.5 +++ http_request.c1997/08/02 15:52:12 1.50.2.6 @@ -344,7 +344,7 @@ core_dir_config *core_dir = (core_dir_config *)get_module_config(per_dir_defaults, core_module); int overrides_here; -void *this_conf = NULL, *htaccess_conf = NULL; +void *this_conf, *htaccess_conf = NULL; char *this_dir = make_dirstr (r-pool, test_filename, i); int j; @@ -373,6 +373,7 @@ (core_dir_config *)get_module_config(entry_config, core_module); entry_dir = entry_core-d; + this_conf = NULL; if (entry_core-r) { if (!regexec(entry_core-r, this_dir, 0, NULL, (j == num_sec) ? 0 : REG_NOTEOL)) {
cvs commit: apache/src CHANGES http_request.c mod_cern_meta.c mod_dir.c mod_negotiation.c
dgaudet 97/06/23 20:03:53 Modified:src CHANGES http_request.c mod_cern_meta.c mod_dir.c mod_negotiation.c Log: Fix a few security problems. Avoid problems with pipes, sockets, etc. in the filesystem. Use sub_req_lookup_file for various functions that open ancillary files, so that they have to pass the symlink tests. Also disallow slashes in HeaderName and ReadmeName to avoid ../../../hacks. Revision ChangesPath 1.296 +16 -3 apache/src/CHANGES Index: CHANGES === RCS file: /export/home/cvs/apache/src/CHANGES,v retrieving revision 1.295 retrieving revision 1.296 diff -C3 -r1.295 -r1.296 *** CHANGES 1997/06/24 01:10:56 1.295 --- CHANGES 1997/06/24 03:03:47 1.296 *** *** 7,24 *) Added NT support [Ben Laurie and Ambarish Malpani [EMAIL PROTECTED]] Changes with Apache 1.2.1 *) Update Unixware support for 2.1.2. [Lawrence Rosenman ler@lerctr.org] PR#511 ! *) Port to NonStop-UX [Joachim Schmitz [EMAIL PROTECTED]] PR#327 ! *) Update ConvexOS support for 11.5. [David DeSimone [EMAIL PROTECTED]] PR#399 *) Support for dec cc compiler under ultrix. [P. Alejandro Lopez-Valencia [EMAIL PROTECTED]] PR#388 ! *) Support for Maxion/OS SVR4.2 Real Time Unix. [no name given] PR#383 *) mod_status dumps core in inetd mode. [Marc Slemko and Roy Fielding] --- 7,37 *) Added NT support [Ben Laurie and Ambarish Malpani [EMAIL PROTECTED]] Changes with Apache 1.2.1 + + *) Don't serve file system objects unless they are plain files, symlinks, + or directories. This prevents local users from using pipes or + named sockets to invoke programs for an extremely crude form of + CGI. [Dean Gaudet] + + *) HeaderName and ReadmeName were settable in .htaccess and could + contain ../ allowing a local user to publish any file on the + system. No slashes are allowed now. [Dean Gaudet] + + *) It was possible to violate the symlink Options using mod_dir (headers, + readmes, titles), mod_negotiation (type maps), or mod_cern_meta + (meta files). [Dean Gaudet] *) Update Unixware support for 2.1.2. [Lawrence Rosenman ler@lerctr.org] PR#511 ! *) Port to NonStop-UX [Joachim Schmitz [EMAIL PROTECTED]] PR#327 ! *) Update ConvexOS support for 11.5. [David DeSimone [EMAIL PROTECTED]] PR#399 *) Support for dec cc compiler under ultrix. [P. Alejandro Lopez-Valencia [EMAIL PROTECTED]] PR#388 ! *) Support for Maxion/OS SVR4.2 Real Time Unix. [no name given] PR#383 *) mod_status dumps core in inetd mode. [Marc Slemko and Roy Fielding] 1.52 +41 -4 apache/src/http_request.c Index: http_request.c === RCS file: /export/home/cvs/apache/src/http_request.c,v retrieving revision 1.51 retrieving revision 1.52 diff -C3 -r1.51 -r1.52 *** http_request.c1997/06/15 19:22:27 1.51 --- http_request.c1997/06/24 03:03:47 1.52 *** *** 85,90 --- 85,108 * they change, all the way down. */ + + /* + * We don't want people able to serve up pipes, or unix sockets, or other + * scary things. Note that symlink tests are performed later. + */ + static int check_safe_file(request_rec *r) + { + if (r-finfo.st_mode == 0 /* doesn't exist */ + || S_ISDIR (r-finfo.st_mode) + || S_ISREG (r-finfo.st_mode) + || S_ISLNK (r-finfo.st_mode)) { + return OK; + } + log_reason(object is not a file, directory or symlink, r-filename, r); + return HTTP_FORBIDDEN; + } + + int check_symlinks (char *d, int opts) { #if defined(__EMX__) || defined(WIN32) *** *** 310,320 if (res != OK) { return res; } ! if (test_filename[strlen(test_filename)-1] == '/') --num_dirs; ! if (S_ISDIR (r-finfo.st_mode)) ++num_dirs; for (i = 1; i = num_dirs; ++i) { core_dir_config *core_dir = --- 328,344 if (res != OK) { return res; } ! ! if ((res = check_safe_file(r))) { ! return res; ! } ! if (test_filename[strlen(test_filename)-1] == '/') --num_dirs; ! if (S_ISDIR (r-finfo.st_mode)) { ! ++num_dirs; ! } for (i = 1; i = num_dirs; ++i) { core_dir_config *core_dir = *** *** 399,406 r-per_dir_config = per_dir_defaults; ! if ((res = check_symlinks (r-filename, allow_options(r ! { log_reason(Symbolic link not allowed,
cvs commit: apache/src CHANGES http_request.c mod_cookies.c
randy 97/01/13 20:10:43 Branch: src RELEASE_1_1_X Modified:src CHANGES http_request.c mod_cookies.c Log: *) Fix a problem introduced by the directory index patch that breaks CGI with PATH_INFO arguments. *) Remove const in storage type declaration for make_cookie(). Reviewed by: Marc Slemko, Sameer Parekh Submitted by: Marc Slemko CS: Reviewed by: Revision ChangesPath 1.39.2.3 +7 -0 apache/src/CHANGES Index: CHANGES === RCS file: /export/home/cvs/apache/src/CHANGES,v retrieving revision 1.39.2.2 retrieving revision 1.39.2.3 diff -C3 -r1.39.2.2 -r1.39.2.3 *** CHANGES 1997/01/12 00:51:19 1.39.2.2 --- CHANGES 1997/01/14 04:10:38 1.39.2.3 *** *** 1,3 --- 1,10 + Changes with Apache 1.1.3: + + *) Fix a problem introduced by the directory index patch that + breaks CGI with PATH_INFO arguments. + + *) Remove const in storage type declaration for make_cookie(). + Changes with Apache 1.1.2: *) Fix a buffer overflow problem in mod_cookies. Without these 1.11.2.4 +5 -5 apache/src/http_request.c Index: http_request.c === RCS file: /export/home/cvs/apache/src/http_request.c,v retrieving revision 1.11.2.3 retrieving revision 1.11.2.4 diff -C3 -r1.11.2.3 -r1.11.2.4 *** http_request.c1997/01/12 05:17:24 1.11.2.3 --- http_request.c1997/01/14 04:10:39 1.11.2.4 *** *** 179,188 *cp = '\0'; return OK; } ! #if defined(ENOENT) ! else if (errno == ENOENT) { #else ! #error Your system apparently does not define ENOENT. #error Removal of these lines opens a security hole if protecting #error from directory indexes with DirectoryIndex. else { --- 179,188 *cp = '\0'; return OK; } ! #if defined(ENOENT) defined(ENOTDIR) ! else if (errno == ENOENT || errno == ENOTDIR) { #else ! #error Your system apparently does not define ENOENT || ENOTDIR. #error Removal of these lines opens a security hole if protecting #error from directory indexes with DirectoryIndex. else { *** *** 195,203 while (cp path cp[-1] == '/') --cp; } ! #if defined(ENOENT) else { ! log_printf(r-server, access to %s failed for client; unable to determine if index file exists (stat() returned unexpected error), r-filename); return FORBIDDEN; } #endif --- 195,203 while (cp path cp[-1] == '/') --cp; } ! #if defined(ENOENT) defined(ENOTDIR) else { ! log_printf(r-server, access to %s failed for client; unable to determine if index file exists (stat() returned unexpected error[%d]), r-filename, errno); return FORBIDDEN; } #endif 1.9.2.4 +1 -1 apache/src/Attic/mod_cookies.c Index: mod_cookies.c === RCS file: /export/home/cvs/apache/src/Attic/mod_cookies.c,v retrieving revision 1.9.2.3 retrieving revision 1.9.2.4 diff -C3 -r1.9.2.3 -r1.9.2.4 *** mod_cookies.c 1997/01/12 02:05:42 1.9.2.3 --- mod_cookies.c 1997/01/14 04:10:41 1.9.2.4 *** *** 121,127 struct timeval tv; char new_cookie[1024]; /* blurgh */ char *dot; ! const char *rname = pstrdup(r-pool, get_remote_host(r-connection, r-per_dir_config, REMOTE_NAME)); --- 121,127 struct timeval tv; char new_cookie[1024]; /* blurgh */ char *dot; ! char *rname = pstrdup(r-pool, get_remote_host(r-connection, r-per_dir_config, REMOTE_NAME));
cvs commit: apache/src CHANGES http_request.c mod_dir.c
randy 97/01/12 12:01:23 Modified:src CHANGES http_request.c mod_dir.c Log: Properly check errno to prevent display of a directory index when server receives a long enough URL to confuse stat(). Reviewed by: Randy Terbush, Marc Slemko Submitted by: Marc Slemko Revision ChangesPath 1.119 +3 -0 apache/src/CHANGES Index: CHANGES === RCS file: /export/home/cvs/apache/src/CHANGES,v retrieving revision 1.118 retrieving revision 1.119 diff -C3 -r1.118 -r1.119 *** CHANGES 1997/01/12 19:18:46 1.118 --- CHANGES 1997/01/12 20:01:20 1.119 *** *** 1,5 --- 1,8 Changes with Apache 1.2b5 + *) Properly check errno to prevent display of a directory index + when server receives a long enough URL to confuse stat(). + *) Several security enhancements to suexec wrapper. It is _highly_ recommended that previously installed versions of the wrapper be replaced with this version. [Randy Terbush, Jason Dour] 1.36 +39 -6 apache/src/http_request.c Index: http_request.c === RCS file: /export/home/cvs/apache/src/http_request.c,v retrieving revision 1.35 retrieving revision 1.36 diff -C3 -r1.35 -r1.36 *** http_request.c1997/01/04 15:10:16 1.35 --- http_request.c1997/01/12 20:01:21 1.36 *** *** 125,135 /* OK, it's a symlink. May still be OK with OPT_SYM_OWNER */ ! if (!(opts OPT_SYM_OWNER)) return FORBIDDEN; ! if (stat (d, fi) 0) return FORBIDDEN; ! return (fi.st_uid == lfi.st_uid) ? OK : FORBIDDEN; #endif } --- 125,135 /* OK, it's a symlink. May still be OK with OPT_SYM_OWNER */ ! if (!(opts OPT_SYM_OWNER)) return HTTP_FORBIDDEN; ! if (stat (d, fi) 0) return HTTP_FORBIDDEN; ! return (fi.st_uid == lfi.st_uid) ? OK : HTTP_FORBIDDEN; #endif } *** *** 137,143 /* Dealing with the file system to get PATH_INFO */ ! void get_path_info(request_rec *r) { char *cp; char *path = r-filename; --- 137,143 /* Dealing with the file system to get PATH_INFO */ ! int get_path_info(request_rec *r) { char *cp; char *path = r-filename; *** *** 155,161 --- 155,164 /* See if the pathname ending here exists... */ *cp = '\0'; + + errno = 0; rv = stat(path, r-finfo); + if (cp != end) *cp = '/'; if (!rv) { *** *** 172,180 r-path_info = pstrdup (r-pool, cp); *cp = '\0'; ! return; } else { last_cp = cp; while (--cp path *cp != '/') --- 175,203 r-path_info = pstrdup (r-pool, cp); *cp = '\0'; ! return OK; } + #if defined(ENOENT) + else if (errno == ENOENT) { + #else + #error ENOENT not defined -- check the comment below this line in the source for details + /* + * If ENOENT is not defined in one of the your OS's include + * files, Apache does not know how to check to see why the + * stat() of the index file failed; there are cases where + * it can fail even though the file exists. This means + * that it is possible for someone to get a directory + * listing of a directory even though there is an index + * (eg. index.html) file in it. If you do not have a + * problem with this, delete the above #error line and + * start the compile again. If you need to do this, please + * submit a bug report from http://www.apache.org/bug_report.html + * letting us know that you needed to do this. Please be + * sure to include the operating system you are using. + */ + else { + #endif last_cp = cp; while (--cp path *cp != '/') *** *** 182,189 --- 205,219 while (cp path cp[-1] == '/') --cp; + } + #if defined(ENOENT) + else { + log_reason(unable to determine if index file exists (stat() returned unexpected error), r-filename, r); + return HTTP_FORBIDDEN; } + #endif } + return OK; } int directory_walk (request_rec *r) *** *** 269,275 no2slash (test_filename); num_dirs = count_dirs(test_filename); ! get_path_info (r); if (test_filename[strlen(test_filename)-1] == '/') --num_dirs; --- 299,308 no2slash (test_filename);
cvs commit: apache/src CHANGES http_request.c
randy 96/12/24 10:06:17 Modified:src CHANGES http_request.c Log: Collapse multiple slashes in path URLs to properly apply handlers defined by Location. Reviewed by: Rob Hart[h]ill, Randy Terbush Submitted by: Alexei Kosut Revision ChangesPath 1.92 +3 -0 apache/src/CHANGES Index: CHANGES === RCS file: /export/home/cvs/apache/src/CHANGES,v retrieving revision 1.91 retrieving revision 1.92 diff -C3 -r1.91 -r1.92 *** CHANGES 1996/12/20 16:27:17 1.91 --- CHANGES 1996/12/24 18:06:15 1.92 *** *** 1,5 --- 1,8 Changes with Apache 1.2b3: + *) Collapse multiple slashes in path URLs to properly apply + handlers defined by Location. [Alexei Kosut] + *) Define a sane set of DEFAULT_USER and DEFAULT_GROUP values for AIX. *) Improve the accuracy of request duration timings by setting 1.33 +9 -0 apache/src/http_request.c Index: http_request.c === RCS file: /export/home/cvs/apache/src/http_request.c,v retrieving revision 1.32 retrieving revision 1.33 diff -C3 -r1.32 -r1.33 *** http_request.c1996/12/11 05:16:08 1.32 --- http_request.c1996/12/24 18:06:16 1.33 *** *** 381,386 --- 381,392 int len, num_url = url_array-nelts; char *test_location = pstrdup (r-pool, r-uri); + /* Collapse multiple slashes, if it's a path URL (we don't want to + * do anything to Location http://... or such). + */ + if (test_location[0] == '/') + no2slash (test_location); + /* Go through the location entries, and check for matches. */ if (num_url) { *** *** 439,444 --- 445,453 core_dir_config **file = (core_dir_config **)file_array-elts; int len, num_files = file_array-nelts; char *test_file = pstrdup (r-pool, r-filename); + + /* Collapse multiple slashes */ + no2slash (test_file); /* Go through the file entries, and check for matches. */