Re: [SECURITY-PATCH] cygwin: Apache 1.3.29 and below directory traversal vulnerability
On Wed, Feb 04, 2004 at 05:48:48PM +0100, Stipe Tolj wrote:
Hi list,
attached patch fixes the bug# 26152 as described in
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=26152
Main purpose was to handle backslashes in the URI to avoid misleading
interpretation via the underlying cygwin OS layer, which allows
backslashes as directory delimiters.
Therefore src/os/cygwin/util_cygwin.c implements it's own
ap_os_canonical_filename() routine to map backslashes to slashes and
relly on the afterlying directory_walk() and file_walk() security
mechanisms.
Thanks (but please send the diffs in a registered plaintext format,
e.g. text/plain, not application/x-unknown-content-type-diff_auto_file)
+API_EXPORT(char *) ap_os_canonical_filename(pool *pPool, const char *szFile)
+{
+char *buf;
+char buf2[MAX_STRING_LEN];
+int rc, len;
+char *pos;
+
+len = strlen(szFile);
+buf = ap_pstrndup(pPool, szFile, len);
+
+/* Switch backslashes to forward */
+for (pos=buf; *pos; pos++)
+if (*pos == '\\')
+*pos = '/';
+
+return ap_pstrdup(pPool, buf);
IMO this additional dupping is not needed; just return buf;
+}
Martin
--
[EMAIL PROTECTED] | Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730 Munich, Germany
Re: [SECURITY-PATCH] cygwin: Apache 1.3.29 and below directory traversal vulnerability
-1. Reject the request with a 400 error instead. Roy
Re: [SECURITY-PATCH] cygwin: Apache 1.3.29 and below directory traversal vulnerability
At 05:45 PM 2/4/2004, Roy T. Fielding wrote: -1. Reject the request with a 400 error instead. ++1 to Roy's suggestion. I believe that Win32 may accept the back slash (with the changes proposed for the cygwin port.) However ... here's the trick ... the cygwin httpd port is emulating Unix, so it should behave as a unix port. Bill
Re: [SECURITY-PATCH] cygwin: Apache 1.3.29 and below directory traversal vulnerability
Hi Roy, Roy T. Fielding wrote -1. Reject the request with a 400 error instead. actually a standard (apache layout) install (from source) on a linux box with the URI described in the bug report gives also a 404, and *not* a 400 in response. So we get the same behaviour on cygwin as on linux?! Why is the behaviour on cygwin then more wrong? Stipe mailto:[EMAIL PROTECTED] --- Wapme Systems AG Münsterstr. 248 40470 Düsseldorf, NRW, Germany phone: +49.211.74845.0 fax: +49.211.74845.299 mailto:[EMAIL PROTECTED] http://www.wapme-systems.de/ --- -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v1.2.2 (Cygwin) mIsEP6mcYwEEAMDnUiUwrbb+xwTFWN6TxF2+XZu7/alwJMeCwMBRvXtPZqfjpPhS OkBpU0F4TrVuugz1HINTSaJTYq10AzDQXp5NkyWgckqW79nPAWuOX0dicbJk+cN2 nM2TI4KaxUDe6u8hghNEnH/i2lXsUu9apnP/iixzV81VC2je3uc9hZpnAAYptEVT dGlwZSBUb2xqIChUZWNobm9sb2d5IENlbnRlciAmIFJlc2VhcmNoIExhYikgPHRv bGpAd2FwbWUtc3lzdGVtcy5kZT6ItAQTAQIAHgUCP6mcYwIbAwYLCQgHAwIDFQID AxYCAQIeAQIXgAAKCRABV0w1BqPYRuSqA/wPzsQxao2YePENCtgRTrO86U6zg3sl OcS6CJFI4FZP5h/xD3GRsNH1+MPSvZlomDdpFnr547DGz/Kq9MXuQwVvlVig5yWZ K5dtKp1r5YLhxJQBhfirZbRFFnYmf19f18J8OoS28tuFVftDl1AIwJS3HLyBTv6H g2HyLAEKQIp30Q== =aYCI -END PGP PUBLIC KEY BLOCK-
Re: [SECURITY-PATCH] cygwin: Apache 1.3.29 and below directory traversal vulnerability
William A. Rowe, Jr. wrote: At 05:45 PM 2/4/2004, Roy T. Fielding wrote: -1. Reject the request with a 400 error instead. ++1 to Roy's suggestion. I believe that Win32 may accept the back slash (with the changes proposed for the cygwin port.) However ... here's the trick ... the cygwin httpd port is emulating Unix, so it should behave as a unix port. which means actually what? ... I didn't get the point. Maybe it's too late here... ;) Stipe mailto:[EMAIL PROTECTED] --- Wapme Systems AG Münsterstr. 248 40470 Düsseldorf, NRW, Germany phone: +49.211.74845.0 fax: +49.211.74845.299 mailto:[EMAIL PROTECTED] http://www.wapme-systems.de/ --- -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v1.2.2 (Cygwin) mIsEP6mcYwEEAMDnUiUwrbb+xwTFWN6TxF2+XZu7/alwJMeCwMBRvXtPZqfjpPhS OkBpU0F4TrVuugz1HINTSaJTYq10AzDQXp5NkyWgckqW79nPAWuOX0dicbJk+cN2 nM2TI4KaxUDe6u8hghNEnH/i2lXsUu9apnP/iixzV81VC2je3uc9hZpnAAYptEVT dGlwZSBUb2xqIChUZWNobm9sb2d5IENlbnRlciAmIFJlc2VhcmNoIExhYikgPHRv bGpAd2FwbWUtc3lzdGVtcy5kZT6ItAQTAQIAHgUCP6mcYwIbAwYLCQgHAwIDFQID AxYCAQIeAQIXgAAKCRABV0w1BqPYRuSqA/wPzsQxao2YePENCtgRTrO86U6zg3sl OcS6CJFI4FZP5h/xD3GRsNH1+MPSvZlomDdpFnr547DGz/Kq9MXuQwVvlVig5yWZ K5dtKp1r5YLhxJQBhfirZbRFFnYmf19f18J8OoS28tuFVftDl1AIwJS3HLyBTv6H g2HyLAEKQIp30Q== =aYCI -END PGP PUBLIC KEY BLOCK-
Re: [SECURITY-PATCH] cygwin: Apache 1.3.29 and below directory traversal vulnerability
Stipe Tolj wrote: Hi Roy, Roy T. Fielding wrote -1. Reject the request with a 400 error instead. actually a standard (apache layout) install (from source) on a linux box with the URI described in the bug report gives also a 404, and *not* a 400 in response. So we get the same behaviour on cygwin as on linux?! Why is the behaviour on cygwin then more wrong? which does not mean that I'm veto'ing the -1 in terms of HTTP response code semantics. That's ok for me and actually I would be +1 for responding 400 to a non-valid, abussing URI. But just to mention that the linux install did the same. So either we should have it changed generically, but not specifically for cygwin IMO. Stipe mailto:[EMAIL PROTECTED] --- Wapme Systems AG Münsterstr. 248 40470 Düsseldorf, NRW, Germany phone: +49.211.74845.0 fax: +49.211.74845.299 mailto:[EMAIL PROTECTED] http://www.wapme-systems.de/ --- -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v1.2.2 (Cygwin) mIsEP6mcYwEEAMDnUiUwrbb+xwTFWN6TxF2+XZu7/alwJMeCwMBRvXtPZqfjpPhS OkBpU0F4TrVuugz1HINTSaJTYq10AzDQXp5NkyWgckqW79nPAWuOX0dicbJk+cN2 nM2TI4KaxUDe6u8hghNEnH/i2lXsUu9apnP/iixzV81VC2je3uc9hZpnAAYptEVT dGlwZSBUb2xqIChUZWNobm9sb2d5IENlbnRlciAmIFJlc2VhcmNoIExhYikgPHRv bGpAd2FwbWUtc3lzdGVtcy5kZT6ItAQTAQIAHgUCP6mcYwIbAwYLCQgHAwIDFQID AxYCAQIeAQIXgAAKCRABV0w1BqPYRuSqA/wPzsQxao2YePENCtgRTrO86U6zg3sl OcS6CJFI4FZP5h/xD3GRsNH1+MPSvZlomDdpFnr547DGz/Kq9MXuQwVvlVig5yWZ K5dtKp1r5YLhxJQBhfirZbRFFnYmf19f18J8OoS28tuFVftDl1AIwJS3HLyBTv6H g2HyLAEKQIp30Q== =aYCI -END PGP PUBLIC KEY BLOCK-
