[jira] Commented: (MODPYTHON-128) Have assigning req.filename automatically update req.finfo.
[
http://issues.apache.org/jira/browse/MODPYTHON-128?page=comments#action_12367490
]
Graham Dumpleton commented on MODPYTHON-128:
Here is link to discussion of similar change being ported from mod_perl 1 to
mod_perl 2.
http://www.gossamer-threads.com/lists/modperl/dev/8281
Their code was:
+static MP_INLINE
+char *mpxs_Apache__RequestRec_filename(pTHX_ request_rec *r,
+ SV *name)
+{
+char *retval = r-filename;
+
+if (name) {
+STRLEN len;
+const char *val = SvPV(name, len);
+
+MP_TRACE_o(MP_FUNC, setting r-filename to %s\n,
+ val);
+
+/* set r-filename to the incoming value */
+r-filename = apr_pstrndup(r-pool, val, len);
+
+/* and update r-finfo so later calcuations work properly */
+apr_status_t rv = apr_stat(r-finfo, r-filename,
+ APR_FINFO_MIN, r-pool);
+
+if (rv != APR_SUCCESS) {
+ MP_TRACE_o(MP_FUNC, unable to update finfo for %s\n,
+name);
+ r-finfo.filetype = 0;
+}
+}
+
+return retval;
+}
Worth noting is that they set finfo.filetype to 0 if stat fails.
Consulting:
http://docx.webperf.org/structapr__finfo__t.html
http://docx.webperf.org/group__apr__file__info.html#gga3a66
http://docx.webperf.org/apr__file__info_8h-source.html
rather than being assigned to zero, the constant APR_NOFILE should probably be
used.
Is finfo.filetype being 0/APR_NOFILE truely indicative of data not being valid
by itself?
Need to dig into apr_stat() further when have time.
Have assigning req.filename automatically update req.finfo.
---
Key: MODPYTHON-128
URL: http://issues.apache.org/jira/browse/MODPYTHON-128
Project: mod_python
Type: Improvement
Components: core
Versions: 3.3
Reporter: Graham Dumpleton
Although it is possible to assign a new value to req.filename, it is not
possible to update req.finfo based on the new filename.
Suggest that if req.filename is assigned a new value, that apr_stat() be
automatically called to update req.finfo. Ie., internally mod_python would
do something like:
apr_stat(r-finfo, r-filename, APR_FINFO_MIN, r-pool);
I believe that mod_perl supports a similar feature, but would need to confirm
this.
Related to req.filename, the req.canonical_filename should also be
writable as when changing req.filename the latter should also by rights be
updated as well.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[DRAFT] [ANNOUNCE] Mod_python 3.2.8 (security)
If you see any problems with this text, let me know. -- Forwarded message -- Date: Sat, 12 Feb 2005 22:00:56 -0500 (EST) From: Gregory (Grisha) Trubetskoy [EMAIL PROTECTED] To: announce@httpd.apache.org, [EMAIL PROTECTED] Cc: python-dev@httpd.apache.org Subject: [ANNOUNCE] Mod_python 3.2.8 (security) The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of versions 3.2.8 of mod_python. This release addresses a vulnerability in mod_python's FileSession object whereby a carefully crafted session cookie could potentially permit an attacker to execute code on the server. FileSession was introduced in mod_python 3.2.7 released on February 15 2006 and is not enabled by default, therefore only a very small number of installations, if any, are likely to be affected by this issue. There are no other changes or improvements from the previous version in this release. Mod_python is available for download from: http://httpd.apache.org/modules/python-download.cgi For more information about mod_python visit http://www.modpython.org/ Regards, Gregory Trubetskoy
Re: [DRAFT] [ANNOUNCE] Mod_python 3.2.8 (security)
Gregory (Grisha) Trubetskoy wrote: If you see any problems with this text, let me know. -- Forwarded message -- Date: Sat, 12 Feb 2005 22:00:56 -0500 (EST) From: Gregory (Grisha) Trubetskoy [EMAIL PROTECTED] To: announce@httpd.apache.org, [EMAIL PROTECTED] Cc: python-dev@httpd.apache.org Subject: [ANNOUNCE] Mod_python 3.2.8 (security) The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of versions 3.2.8 of mod_python. versions - version This release addresses a vulnerability in mod_python's FileSession object whereby a carefully crafted session cookie could potentially permit an attacker to execute code on the server. FileSession was introduced in mod_python 3.2.7 released on February 15 2006 and is not enabled by default, therefore only a very small number of installations, if any, are likely to be affected by this issue. There are no other changes or improvements from the previous version in this release. Mod_python is available for download from: http://httpd.apache.org/modules/python-download.cgi For more information about mod_python visit http://www.modpython.org/ Regards, Gregory Trubetskoy
Re: [DRAFT] [ANNOUNCE] Mod_python 3.2.8 (security)
Looks good. (with Jorey's correction). Jim Jorey Bump wrote: Gregory (Grisha) Trubetskoy wrote: If you see any problems with this text, let me know. -- Forwarded message -- Date: Sat, 12 Feb 2005 22:00:56 -0500 (EST) From: Gregory (Grisha) Trubetskoy [EMAIL PROTECTED] To: announce@httpd.apache.org, [EMAIL PROTECTED] Cc: python-dev@httpd.apache.org Subject: [ANNOUNCE] Mod_python 3.2.8 (security) The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of versions 3.2.8 of mod_python. versions - version This release addresses a vulnerability in mod_python's FileSession object whereby a carefully crafted session cookie could potentially permit an attacker to execute code on the server. FileSession was introduced in mod_python 3.2.7 released on February 15 2006 and is not enabled by default, therefore only a very small number of installations, if any, are likely to be affected by this issue. There are no other changes or improvements from the previous version in this release. Mod_python is available for download from: http://httpd.apache.org/modules/python-download.cgi For more information about mod_python visit http://www.modpython.org/ Regards, Gregory Trubetskoy
