How to reproduce (shttpd on WinXP or similar):
1. in the shttpd root directory, create a file named NoName.html,
containing some text
2. from a browser on the same computer, ask for
http://localhost/NoName.html - this will work
3. from a browser on the same computer, ask for
http://localhost/noname.html - this will return Error 500 System Error
With shttpd running on a unixy computer, I presume that setp 3 will produce
an Error 404 Not Found.
I work with shttpd 1.39, but the behavior will be same with 1.42, from
looking at file diffs.
Diagnostic (for step 3):
1. decide_what_to_do() calls get_path_info() -> my_stat() -> _wstat()
which succeeds, being case-insensitive
2. decide_what_to_do() calls my_open() ->
protect_against_code_disclosure() -> strcmp() which now compares
data.cFileName == "Noname1.html" to p == "noname1.html" and fails
3. decide_what_to_do() calls send_server_error(c, 500, "Internal Error")
The proposed patch that fixes the problem is
< strcmp(data.cFileName, p) != 0)
> strcmpi(data.cFileName, p) != 0)
Best regards
Rudi Farkas
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
shttpd-general mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shttpd-general
