cool, thanks. to be patched in
On Tue, Sep 23, 2008 at 9:52 PM, Rudi Farkas <[EMAIL PROTECTED]> wrote:
> How to reproduce (shttpd on WinXP or similar):
>
> 1. in the shttpd root directory, create a file named NoName.html,
> containing some text
> 2. from a browser on the same computer, ask for
> http://localhost/NoName.html - this will work
> 3. from a browser on the same computer, ask for
> http://localhost/noname.html - this will return Error 500 System Error
>
> With shttpd running on a unixy computer, I presume that setp 3 will produce
> an Error 404 Not Found.
>
> I work with shttpd 1.39, but the behavior will be same with 1.42, from
> looking at file diffs.
>
> Diagnostic (for step 3):
>
> 1. decide_what_to_do() calls get_path_info() -> my_stat() -> _wstat()
> which succeeds, being case-insensitive
> 2. decide_what_to_do() calls my_open() ->
> protect_against_code_disclosure() -> strcmp() which now compares
> data.cFileName == "Noname1.html" to p == "noname1.html" and fails
> 3. decide_what_to_do() calls send_server_error(c, 500, "Internal
> Error")
>
>
> The proposed patch that fixes the problem is
>
> < strcmp(data.cFileName, p) != 0)
> > strcmpi(data.cFileName, p) != 0)
>
>
> Best regards
> Rudi Farkas
>
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
shttpd-general mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shttpd-general
