[jira] Commented: (MODPYTHON-128) Have assigning req.filename automatically update req.finfo.
[ http://issues.apache.org/jira/browse/MODPYTHON-128?page=comments#action_12367490 ] Graham Dumpleton commented on MODPYTHON-128: Here is link to discussion of similar change being ported from mod_perl 1 to mod_perl 2. http://www.gossamer-threads.com/lists/modperl/dev/8281 Their code was: +static MP_INLINE +char *mpxs_Apache__RequestRec_filename(pTHX_ request_rec *r, + SV *name) +{ +char *retval = r-filename; + +if (name) { +STRLEN len; +const char *val = SvPV(name, len); + +MP_TRACE_o(MP_FUNC, setting r-filename to %s\n, + val); + +/* set r-filename to the incoming value */ +r-filename = apr_pstrndup(r-pool, val, len); + +/* and update r-finfo so later calcuations work properly */ +apr_status_t rv = apr_stat(r-finfo, r-filename, + APR_FINFO_MIN, r-pool); + +if (rv != APR_SUCCESS) { + MP_TRACE_o(MP_FUNC, unable to update finfo for %s\n, +name); + r-finfo.filetype = 0; +} +} + +return retval; +} Worth noting is that they set finfo.filetype to 0 if stat fails. Consulting: http://docx.webperf.org/structapr__finfo__t.html http://docx.webperf.org/group__apr__file__info.html#gga3a66 http://docx.webperf.org/apr__file__info_8h-source.html rather than being assigned to zero, the constant APR_NOFILE should probably be used. Is finfo.filetype being 0/APR_NOFILE truely indicative of data not being valid by itself? Need to dig into apr_stat() further when have time. Have assigning req.filename automatically update req.finfo. --- Key: MODPYTHON-128 URL: http://issues.apache.org/jira/browse/MODPYTHON-128 Project: mod_python Type: Improvement Components: core Versions: 3.3 Reporter: Graham Dumpleton Although it is possible to assign a new value to req.filename, it is not possible to update req.finfo based on the new filename. Suggest that if req.filename is assigned a new value, that apr_stat() be automatically called to update req.finfo. Ie., internally mod_python would do something like: apr_stat(r-finfo, r-filename, APR_FINFO_MIN, r-pool); I believe that mod_perl supports a similar feature, but would need to confirm this. Related to req.filename, the req.canonical_filename should also be writable as when changing req.filename the latter should also by rights be updated as well. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[DRAFT] [ANNOUNCE] Mod_python 3.2.8 (security)
If you see any problems with this text, let me know. -- Forwarded message -- Date: Sat, 12 Feb 2005 22:00:56 -0500 (EST) From: Gregory (Grisha) Trubetskoy [EMAIL PROTECTED] To: announce@httpd.apache.org, [EMAIL PROTECTED] Cc: python-dev@httpd.apache.org Subject: [ANNOUNCE] Mod_python 3.2.8 (security) The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of versions 3.2.8 of mod_python. This release addresses a vulnerability in mod_python's FileSession object whereby a carefully crafted session cookie could potentially permit an attacker to execute code on the server. FileSession was introduced in mod_python 3.2.7 released on February 15 2006 and is not enabled by default, therefore only a very small number of installations, if any, are likely to be affected by this issue. There are no other changes or improvements from the previous version in this release. Mod_python is available for download from: http://httpd.apache.org/modules/python-download.cgi For more information about mod_python visit http://www.modpython.org/ Regards, Gregory Trubetskoy
Re: [DRAFT] [ANNOUNCE] Mod_python 3.2.8 (security)
Gregory (Grisha) Trubetskoy wrote: If you see any problems with this text, let me know. -- Forwarded message -- Date: Sat, 12 Feb 2005 22:00:56 -0500 (EST) From: Gregory (Grisha) Trubetskoy [EMAIL PROTECTED] To: announce@httpd.apache.org, [EMAIL PROTECTED] Cc: python-dev@httpd.apache.org Subject: [ANNOUNCE] Mod_python 3.2.8 (security) The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of versions 3.2.8 of mod_python. versions - version This release addresses a vulnerability in mod_python's FileSession object whereby a carefully crafted session cookie could potentially permit an attacker to execute code on the server. FileSession was introduced in mod_python 3.2.7 released on February 15 2006 and is not enabled by default, therefore only a very small number of installations, if any, are likely to be affected by this issue. There are no other changes or improvements from the previous version in this release. Mod_python is available for download from: http://httpd.apache.org/modules/python-download.cgi For more information about mod_python visit http://www.modpython.org/ Regards, Gregory Trubetskoy
Re: [DRAFT] [ANNOUNCE] Mod_python 3.2.8 (security)
Looks good. (with Jorey's correction). Jim Jorey Bump wrote: Gregory (Grisha) Trubetskoy wrote: If you see any problems with this text, let me know. -- Forwarded message -- Date: Sat, 12 Feb 2005 22:00:56 -0500 (EST) From: Gregory (Grisha) Trubetskoy [EMAIL PROTECTED] To: announce@httpd.apache.org, [EMAIL PROTECTED] Cc: python-dev@httpd.apache.org Subject: [ANNOUNCE] Mod_python 3.2.8 (security) The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of versions 3.2.8 of mod_python. versions - version This release addresses a vulnerability in mod_python's FileSession object whereby a carefully crafted session cookie could potentially permit an attacker to execute code on the server. FileSession was introduced in mod_python 3.2.7 released on February 15 2006 and is not enabled by default, therefore only a very small number of installations, if any, are likely to be affected by this issue. There are no other changes or improvements from the previous version in this release. Mod_python is available for download from: http://httpd.apache.org/modules/python-download.cgi For more information about mod_python visit http://www.modpython.org/ Regards, Gregory Trubetskoy