cvs commit: apache/src CHANGES http_request.c
dgaudet 97/08/06 13:32:22
Modified:src CHANGES http_request.c
Log:
Fix another long-standing bug in sub_req_lookup_file where it would
happily skip past access checks on subdirectories looked up with
relative paths. (It's used by mod_dir, mod_negotiation,
and mod_include.)
Revision ChangesPath
1.388 +5 -0 apache/src/CHANGES
Index: CHANGES
===
RCS file: /export/home/cvs/apache/src/CHANGES,v
retrieving revision 1.387
retrieving revision 1.388
diff -u -r1.387 -r1.388
--- CHANGES 1997/08/06 20:21:19 1.387
+++ CHANGES 1997/08/06 20:32:18 1.388
@@ -1,5 +1,10 @@
Changes with Apache 1.3a2
+ *) Fix another long-standing bug in sub_req_lookup_file where it would
+ happily skip past access checks on subdirectories looked up with
+ relative paths. (It's used by mod_dir, mod_negotiation,
+ and mod_include.) [Dean Gaudet]
+
*) directory_walk optimization to reduce an O(N*M) loop to O(N+M) where
N is the number of Directory sections, and M is the number of
components in the filename of an object.
1.71 +23 -14apache/src/http_request.c
Index: http_request.c
===
RCS file: /export/home/cvs/apache/src/http_request.c,v
retrieving revision 1.70
retrieving revision 1.71
diff -u -r1.70 -r1.71
--- http_request.c1997/08/06 20:21:25 1.70
+++ http_request.c1997/08/06 20:32:19 1.71
@@ -733,22 +733,31 @@
rnew-per_dir_config = r-per_dir_config;
- if ((res = check_symlinks (rnew-filename, allow_options (rnew {
- log_reason (Symbolic link not allowed, rnew-filename, rnew);
- rnew-status = res;
- return rnew;
- }
- /* do a file_walk, if it doesn't change the per_dir_config then
- * we know that we don't have to redo all the access checks */
- if ((res = file_walk (rnew))) {
- rnew-status = res;
- return rnew;
- }
- if (rnew-per_dir_config == r-per_dir_config) {
- if ((res = find_types (rnew)) || (res = run_fixups (rnew))) {
+ /* no matter what, if it's a subdirectory, we need to re-run
+ * directory_walk */
+ if (S_ISDIR (rnew-finfo.st_mode)) {
+ res = directory_walk (rnew);
+ if (!res) {
+ res = file_walk (rnew);
+ }
+ } else {
+ if ((res = check_symlinks (rnew-filename, allow_options (rnew {
+ log_reason (Symbolic link not allowed, rnew-filename, rnew);
+ rnew-status = res;
+ return rnew;
+ }
+ /* do a file_walk, if it doesn't change the per_dir_config then
+ * we know that we don't have to redo all the access checks */
+ if ((res = file_walk (rnew))) {
rnew-status = res;
+ return rnew;
+ }
+ if (rnew-per_dir_config == r-per_dir_config) {
+ if ((res = find_types (rnew)) || (res = run_fixups (rnew))) {
+ rnew-status = res;
+ }
+ return rnew;
}
- return rnew;
}
} else {
/* XXX: this should be set properly like it is in the same-dir case
cvs commit: apache/src CHANGES http_request.c
rse 97/08/02 08:52:14
Modified:src Tag: APACHE_1_2_X CHANGES http_request.c
Log:
Bugfix the case where multiple Directorys match and all are applied
Submitted by: Dean Gaudet
Reviewed by: Dean Gaudet, Ralf S. Engelschall, Randy Terbush
Revision ChangesPath
No revision
No revision
1.286.2.39 +3 -0 apache/src/CHANGES
Index: CHANGES
===
RCS file: /export/home/cvs/apache/src/CHANGES,v
retrieving revision 1.286.2.38
retrieving revision 1.286.2.39
diff -u -r1.286.2.38 -r1.286.2.39
--- CHANGES 1997/08/01 08:48:16 1.286.2.38
+++ CHANGES 1997/08/02 15:52:11 1.286.2.39
@@ -1,5 +1,8 @@
Changes with Apache 1.2.2
+ *) Bugfix for case where multiple Directorys match and all are applied.
+ [Dean Gaudet]
+
*) Fixed an infinite loop in mod_imap for references above the server root
[Dean Gaudet] PR#748
1.50.2.6 +2 -1 apache/src/http_request.c
Index: http_request.c
===
RCS file: /export/home/cvs/apache/src/http_request.c,v
retrieving revision 1.50.2.5
retrieving revision 1.50.2.6
diff -u -r1.50.2.5 -r1.50.2.6
--- http_request.c1997/07/31 08:19:49 1.50.2.5
+++ http_request.c1997/08/02 15:52:12 1.50.2.6
@@ -344,7 +344,7 @@
core_dir_config *core_dir =
(core_dir_config *)get_module_config(per_dir_defaults, core_module);
int overrides_here;
-void *this_conf = NULL, *htaccess_conf = NULL;
+void *this_conf, *htaccess_conf = NULL;
char *this_dir = make_dirstr (r-pool, test_filename, i);
int j;
@@ -373,6 +373,7 @@
(core_dir_config *)get_module_config(entry_config, core_module);
entry_dir = entry_core-d;
+ this_conf = NULL;
if (entry_core-r) {
if (!regexec(entry_core-r, this_dir, 0, NULL,
(j == num_sec) ? 0 : REG_NOTEOL)) {
cvs commit: apache/src CHANGES http_request.c mod_cern_meta.c mod_dir.c mod_negotiation.c
dgaudet 97/06/23 20:03:53
Modified:src CHANGES http_request.c mod_cern_meta.c mod_dir.c
mod_negotiation.c
Log:
Fix a few security problems. Avoid problems with pipes, sockets, etc. in
the filesystem. Use sub_req_lookup_file for various functions that
open ancillary files, so that they have to pass the symlink tests. Also
disallow slashes in HeaderName and ReadmeName to avoid ../../../hacks.
Revision ChangesPath
1.296 +16 -3 apache/src/CHANGES
Index: CHANGES
===
RCS file: /export/home/cvs/apache/src/CHANGES,v
retrieving revision 1.295
retrieving revision 1.296
diff -C3 -r1.295 -r1.296
*** CHANGES 1997/06/24 01:10:56 1.295
--- CHANGES 1997/06/24 03:03:47 1.296
***
*** 7,24
*) Added NT support [Ben Laurie and Ambarish Malpani [EMAIL PROTECTED]]
Changes with Apache 1.2.1
*) Update Unixware support for 2.1.2. [Lawrence Rosenman
ler@lerctr.org]
PR#511
!
*) Port to NonStop-UX [Joachim Schmitz [EMAIL PROTECTED]] PR#327
!
*) Update ConvexOS support for 11.5. [David DeSimone [EMAIL PROTECTED]]
PR#399
*) Support for dec cc compiler under ultrix.
[P. Alejandro Lopez-Valencia [EMAIL PROTECTED]] PR#388
!
*) Support for Maxion/OS SVR4.2 Real Time Unix. [no name given] PR#383
*) mod_status dumps core in inetd mode. [Marc Slemko and Roy Fielding]
--- 7,37
*) Added NT support [Ben Laurie and Ambarish Malpani [EMAIL PROTECTED]]
Changes with Apache 1.2.1
+
+ *) Don't serve file system objects unless they are plain files, symlinks,
+ or directories. This prevents local users from using pipes or
+ named sockets to invoke programs for an extremely crude form of
+ CGI. [Dean Gaudet]
+
+ *) HeaderName and ReadmeName were settable in .htaccess and could
+ contain ../ allowing a local user to publish any file on the
+ system. No slashes are allowed now. [Dean Gaudet]
+
+ *) It was possible to violate the symlink Options using mod_dir (headers,
+ readmes, titles), mod_negotiation (type maps), or mod_cern_meta
+ (meta files). [Dean Gaudet]
*) Update Unixware support for 2.1.2. [Lawrence Rosenman
ler@lerctr.org]
PR#511
!
*) Port to NonStop-UX [Joachim Schmitz [EMAIL PROTECTED]] PR#327
!
*) Update ConvexOS support for 11.5. [David DeSimone [EMAIL PROTECTED]]
PR#399
*) Support for dec cc compiler under ultrix.
[P. Alejandro Lopez-Valencia [EMAIL PROTECTED]] PR#388
!
*) Support for Maxion/OS SVR4.2 Real Time Unix. [no name given] PR#383
*) mod_status dumps core in inetd mode. [Marc Slemko and Roy Fielding]
1.52 +41 -4 apache/src/http_request.c
Index: http_request.c
===
RCS file: /export/home/cvs/apache/src/http_request.c,v
retrieving revision 1.51
retrieving revision 1.52
diff -C3 -r1.51 -r1.52
*** http_request.c1997/06/15 19:22:27 1.51
--- http_request.c1997/06/24 03:03:47 1.52
***
*** 85,90
--- 85,108
* they change, all the way down.
*/
+
+ /*
+ * We don't want people able to serve up pipes, or unix sockets, or other
+ * scary things. Note that symlink tests are performed later.
+ */
+ static int check_safe_file(request_rec *r)
+ {
+ if (r-finfo.st_mode == 0 /* doesn't exist */
+ || S_ISDIR (r-finfo.st_mode)
+ || S_ISREG (r-finfo.st_mode)
+ || S_ISLNK (r-finfo.st_mode)) {
+ return OK;
+ }
+ log_reason(object is not a file, directory or symlink, r-filename,
r);
+ return HTTP_FORBIDDEN;
+ }
+
+
int check_symlinks (char *d, int opts)
{
#if defined(__EMX__) || defined(WIN32)
***
*** 310,320
if (res != OK) {
return res;
}
!
if (test_filename[strlen(test_filename)-1] == '/')
--num_dirs;
! if (S_ISDIR (r-finfo.st_mode)) ++num_dirs;
for (i = 1; i = num_dirs; ++i) {
core_dir_config *core_dir =
--- 328,344
if (res != OK) {
return res;
}
!
! if ((res = check_safe_file(r))) {
! return res;
! }
!
if (test_filename[strlen(test_filename)-1] == '/')
--num_dirs;
! if (S_ISDIR (r-finfo.st_mode)) {
! ++num_dirs;
! }
for (i = 1; i = num_dirs; ++i) {
core_dir_config *core_dir =
***
*** 399,406
r-per_dir_config = per_dir_defaults;
! if ((res = check_symlinks (r-filename, allow_options(r
! {
log_reason(Symbolic link not allowed,
cvs commit: apache/src CHANGES http_request.c mod_cookies.c
randy 97/01/13 20:10:43
Branch: src RELEASE_1_1_X
Modified:src CHANGES http_request.c mod_cookies.c
Log:
*) Fix a problem introduced by the directory index patch that
breaks CGI with PATH_INFO arguments.
*) Remove const in storage type declaration for make_cookie().
Reviewed by: Marc Slemko, Sameer Parekh
Submitted by: Marc Slemko
CS: Reviewed by:
Revision ChangesPath
1.39.2.3 +7 -0 apache/src/CHANGES
Index: CHANGES
===
RCS file: /export/home/cvs/apache/src/CHANGES,v
retrieving revision 1.39.2.2
retrieving revision 1.39.2.3
diff -C3 -r1.39.2.2 -r1.39.2.3
*** CHANGES 1997/01/12 00:51:19 1.39.2.2
--- CHANGES 1997/01/14 04:10:38 1.39.2.3
***
*** 1,3
--- 1,10
+ Changes with Apache 1.1.3:
+
+ *) Fix a problem introduced by the directory index patch that
+ breaks CGI with PATH_INFO arguments.
+
+ *) Remove const in storage type declaration for make_cookie().
+
Changes with Apache 1.1.2:
*) Fix a buffer overflow problem in mod_cookies. Without these
1.11.2.4 +5 -5 apache/src/http_request.c
Index: http_request.c
===
RCS file: /export/home/cvs/apache/src/http_request.c,v
retrieving revision 1.11.2.3
retrieving revision 1.11.2.4
diff -C3 -r1.11.2.3 -r1.11.2.4
*** http_request.c1997/01/12 05:17:24 1.11.2.3
--- http_request.c1997/01/14 04:10:39 1.11.2.4
***
*** 179,188
*cp = '\0';
return OK;
}
! #if defined(ENOENT)
! else if (errno == ENOENT) {
#else
! #error Your system apparently does not define ENOENT.
#error Removal of these lines opens a security hole if protecting
#error from directory indexes with DirectoryIndex.
else {
--- 179,188
*cp = '\0';
return OK;
}
! #if defined(ENOENT) defined(ENOTDIR)
! else if (errno == ENOENT || errno == ENOTDIR) {
#else
! #error Your system apparently does not define ENOENT || ENOTDIR.
#error Removal of these lines opens a security hole if protecting
#error from directory indexes with DirectoryIndex.
else {
***
*** 195,203
while (cp path cp[-1] == '/')
--cp;
}
! #if defined(ENOENT)
else {
! log_printf(r-server, access to %s failed for client; unable to
determine if index file exists (stat() returned unexpected error),
r-filename);
return FORBIDDEN;
}
#endif
--- 195,203
while (cp path cp[-1] == '/')
--cp;
}
! #if defined(ENOENT) defined(ENOTDIR)
else {
! log_printf(r-server, access to %s failed for client; unable to
determine if index file exists (stat() returned unexpected error[%d]),
r-filename, errno);
return FORBIDDEN;
}
#endif
1.9.2.4 +1 -1 apache/src/Attic/mod_cookies.c
Index: mod_cookies.c
===
RCS file: /export/home/cvs/apache/src/Attic/mod_cookies.c,v
retrieving revision 1.9.2.3
retrieving revision 1.9.2.4
diff -C3 -r1.9.2.3 -r1.9.2.4
*** mod_cookies.c 1997/01/12 02:05:42 1.9.2.3
--- mod_cookies.c 1997/01/14 04:10:41 1.9.2.4
***
*** 121,127
struct timeval tv;
char new_cookie[1024]; /* blurgh */
char *dot;
! const char *rname = pstrdup(r-pool,
get_remote_host(r-connection,
r-per_dir_config,
REMOTE_NAME));
--- 121,127
struct timeval tv;
char new_cookie[1024]; /* blurgh */
char *dot;
! char *rname = pstrdup(r-pool,
get_remote_host(r-connection,
r-per_dir_config,
REMOTE_NAME));
cvs commit: apache/src CHANGES http_request.c mod_dir.c
randy 97/01/12 12:01:23
Modified:src CHANGES http_request.c mod_dir.c
Log:
Properly check errno to prevent display of a directory index
when server receives a long enough URL to confuse stat().
Reviewed by: Randy Terbush, Marc Slemko
Submitted by: Marc Slemko
Revision ChangesPath
1.119 +3 -0 apache/src/CHANGES
Index: CHANGES
===
RCS file: /export/home/cvs/apache/src/CHANGES,v
retrieving revision 1.118
retrieving revision 1.119
diff -C3 -r1.118 -r1.119
*** CHANGES 1997/01/12 19:18:46 1.118
--- CHANGES 1997/01/12 20:01:20 1.119
***
*** 1,5
--- 1,8
Changes with Apache 1.2b5
+ *) Properly check errno to prevent display of a directory index
+ when server receives a long enough URL to confuse stat().
+
*) Several security enhancements to suexec wrapper. It is _highly_
recommended that previously installed versions of the wrapper
be replaced with this version. [Randy Terbush, Jason Dour]
1.36 +39 -6 apache/src/http_request.c
Index: http_request.c
===
RCS file: /export/home/cvs/apache/src/http_request.c,v
retrieving revision 1.35
retrieving revision 1.36
diff -C3 -r1.35 -r1.36
*** http_request.c1997/01/04 15:10:16 1.35
--- http_request.c1997/01/12 20:01:21 1.36
***
*** 125,135
/* OK, it's a symlink. May still be OK with OPT_SYM_OWNER */
! if (!(opts OPT_SYM_OWNER)) return FORBIDDEN;
! if (stat (d, fi) 0) return FORBIDDEN;
! return (fi.st_uid == lfi.st_uid) ? OK : FORBIDDEN;
#endif
}
--- 125,135
/* OK, it's a symlink. May still be OK with OPT_SYM_OWNER */
! if (!(opts OPT_SYM_OWNER)) return HTTP_FORBIDDEN;
! if (stat (d, fi) 0) return HTTP_FORBIDDEN;
! return (fi.st_uid == lfi.st_uid) ? OK : HTTP_FORBIDDEN;
#endif
}
***
*** 137,143
/* Dealing with the file system to get PATH_INFO
*/
! void get_path_info(request_rec *r)
{
char *cp;
char *path = r-filename;
--- 137,143
/* Dealing with the file system to get PATH_INFO
*/
! int get_path_info(request_rec *r)
{
char *cp;
char *path = r-filename;
***
*** 155,161
--- 155,164
/* See if the pathname ending here exists... */
*cp = '\0';
+
+ errno = 0;
rv = stat(path, r-finfo);
+
if (cp != end) *cp = '/';
if (!rv) {
***
*** 172,180
r-path_info = pstrdup (r-pool, cp);
*cp = '\0';
! return;
}
else {
last_cp = cp;
while (--cp path *cp != '/')
--- 175,203
r-path_info = pstrdup (r-pool, cp);
*cp = '\0';
! return OK;
}
+ #if defined(ENOENT)
+ else if (errno == ENOENT) {
+ #else
+ #error ENOENT not defined -- check the comment below this line in the
source for details
+ /*
+ * If ENOENT is not defined in one of the your OS's include
+ * files, Apache does not know how to check to see why the
+ * stat() of the index file failed; there are cases where
+ * it can fail even though the file exists. This means
+ * that it is possible for someone to get a directory
+ * listing of a directory even though there is an index
+ * (eg. index.html) file in it. If you do not have a
+ * problem with this, delete the above #error line and
+ * start the compile again. If you need to do this, please
+ * submit a bug report from http://www.apache.org/bug_report.html
+ * letting us know that you needed to do this. Please be
+ * sure to include the operating system you are using.
+ */
+
else {
+ #endif
last_cp = cp;
while (--cp path *cp != '/')
***
*** 182,189
--- 205,219
while (cp path cp[-1] == '/')
--cp;
+ }
+ #if defined(ENOENT)
+ else {
+ log_reason(unable to determine if index file exists (stat()
returned unexpected error), r-filename, r);
+ return HTTP_FORBIDDEN;
}
+ #endif
}
+ return OK;
}
int directory_walk (request_rec *r)
***
*** 269,275
no2slash (test_filename);
num_dirs = count_dirs(test_filename);
! get_path_info (r);
if (test_filename[strlen(test_filename)-1] == '/')
--num_dirs;
--- 299,308
no2slash (test_filename);
cvs commit: apache/src CHANGES http_request.c
randy 96/12/24 10:06:17
Modified:src CHANGES http_request.c
Log:
Collapse multiple slashes in path URLs to properly apply
handlers defined by Location.
Reviewed by: Rob Hart[h]ill, Randy Terbush
Submitted by: Alexei Kosut
Revision ChangesPath
1.92 +3 -0 apache/src/CHANGES
Index: CHANGES
===
RCS file: /export/home/cvs/apache/src/CHANGES,v
retrieving revision 1.91
retrieving revision 1.92
diff -C3 -r1.91 -r1.92
*** CHANGES 1996/12/20 16:27:17 1.91
--- CHANGES 1996/12/24 18:06:15 1.92
***
*** 1,5
--- 1,8
Changes with Apache 1.2b3:
+ *) Collapse multiple slashes in path URLs to properly apply
+ handlers defined by Location. [Alexei Kosut]
+
*) Define a sane set of DEFAULT_USER and DEFAULT_GROUP values for AIX.
*) Improve the accuracy of request duration timings by setting
1.33 +9 -0 apache/src/http_request.c
Index: http_request.c
===
RCS file: /export/home/cvs/apache/src/http_request.c,v
retrieving revision 1.32
retrieving revision 1.33
diff -C3 -r1.32 -r1.33
*** http_request.c1996/12/11 05:16:08 1.32
--- http_request.c1996/12/24 18:06:16 1.33
***
*** 381,386
--- 381,392
int len, num_url = url_array-nelts;
char *test_location = pstrdup (r-pool, r-uri);
+ /* Collapse multiple slashes, if it's a path URL (we don't want to
+ * do anything to Location http://... or such).
+ */
+ if (test_location[0] == '/')
+ no2slash (test_location);
+
/* Go through the location entries, and check for matches. */
if (num_url) {
***
*** 439,444
--- 445,453
core_dir_config **file = (core_dir_config **)file_array-elts;
int len, num_files = file_array-nelts;
char *test_file = pstrdup (r-pool, r-filename);
+
+ /* Collapse multiple slashes */
+ no2slash (test_file);
/* Go through the file entries, and check for matches. */
