You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Alexei Kosut <ak...@organic.com> on 1997/09/05 23:39:00 UTC
[PATCH] Canonicalizing entries (again)
I posted this patch a few days ago, but didn't see any response
indicating whether it should be applied. So I'm sending it again, and if
I don't get any feedback in a few days, I'll commit it, I guess.
It subjects <Directory> and <Files> entries to the same treatment we give
translated filenames on Windows. Because we now internally assume that
all filenames are lowercase, with a (lowercase) drive letter, and use
long names, we've increased the possibility that someone will use
<Directory> to try and protect something and fail to, because they didn't
read the fine print in the (nonexistant) documentation. It also causes
<DirectoryMatch> and <FilesMatch> to be case-insensitive, with the same
reasoning.
Index: main/http_core.c
===================================================================
RCS file: /export/home/cvs/apachen/src/main/http_core.c,v
retrieving revision 1.118
diff -u -r1.118 http_core.c
--- http_core.c 1997/09/02 16:12:08 1.118
+++ http_core.c 1997/09/03 23:46:25
@@ -753,6 +753,16 @@
return NULL;
}
+/* We use this in <DirectoryMatch> and <FilesMatch>, to ensure that
+ * people don't get bitten by wrong-cased regex matches
+ */
+
+#ifdef WIN32
+#define USE_ICASE REG_ICASE
+#else
+#define USE_ICASE 0
+#endif
+
static const char end_dir_magic[] = "</Directory> outside of any <Directory> section";
const char *end_dirsection (cmd_parms *cmd, void *dummy) {
@@ -782,11 +792,15 @@
cmd->override = OR_ALL|ACCESS_CONF;
if (cmd->info) { /* <DirectoryMatch> */
- r = pregcomp(cmd->pool, cmd->path, REG_EXTENDED);
+ r = pregcomp(cmd->pool, cmd->path, REG_EXTENDED|USE_ICASE);
}
else if (!strcmp(cmd->path, "~")) {
cmd->path = getword_conf (cmd->pool, &arg);
- r = pregcomp(cmd->pool, cmd->path, REG_EXTENDED);
+ r = pregcomp(cmd->pool, cmd->path, REG_EXTENDED|USE_ICASE);
+ }
+ else {
+ /* Ensure that the pathname is canonical */
+ cmd->path = os_canonical_filename(cmd->pool, cmd->path);
}
errmsg = srm_command_loop (cmd, new_dir_conf);
@@ -881,16 +895,21 @@
if (cmd->info) { /* <FilesMatch> */
if (old_path && cmd->path[0] != '/' && cmd->path[0] != '^')
cmd->path = pstrcat(cmd->pool, "^", old_path, cmd->path, NULL);
- r = pregcomp(cmd->pool, cmd->path, REG_EXTENDED);
+ r = pregcomp(cmd->pool, cmd->path, REG_EXTENDED|USE_ICASE);
}
else if (!strcmp(cmd->path, "~")) {
cmd->path = getword_conf (cmd->pool, &arg);
if (old_path && cmd->path[0] != '/' && cmd->path[0] != '^')
cmd->path = pstrcat(cmd->pool, "^", old_path, cmd->path, NULL);
- r = pregcomp(cmd->pool, cmd->path, REG_EXTENDED);
+ r = pregcomp(cmd->pool, cmd->path, REG_EXTENDED|USE_ICASE);
+ }
+ else {
+ if (old_path && cmd->path[0] != '/')
+ cmd->path = pstrcat(cmd->pool, old_path, cmd->path, NULL);
+
+ /* Ensure that the pathname is canonical */
+ cmd->path = os_canonical_filename(cmd->pool, cmd->path);
}
- else if (old_path && cmd->path[0] != '/')
- cmd->path = pstrcat(cmd->pool, old_path, cmd->path, NULL);
errmsg = srm_command_loop (cmd, new_file_conf);
if (errmsg != end_file_magic) return errmsg;
-- Alexei Kosut <ak...@organic.com>
Re: [PATCH] Canonicalizing entries (again)
Posted by Ben Laurie <be...@algroup.co.uk>.
Alexei Kosut wrote:
>
> I posted this patch a few days ago, but didn't see any response
> indicating whether it should be applied. So I'm sending it again, and if
> I don't get any feedback in a few days, I'll commit it, I guess.
>
> It subjects <Directory> and <Files> entries to the same treatment we give
> translated filenames on Windows. Because we now internally assume that
> all filenames are lowercase, with a (lowercase) drive letter, and use
> long names, we've increased the possibility that someone will use
> <Directory> to try and protect something and fail to, because they didn't
> read the fine print in the (nonexistant) documentation. It also causes
> <DirectoryMatch> and <FilesMatch> to be case-insensitive, with the same
> reasoning.
+1 (at least until we come up with a better answer).
Randy also asked about UNC - a valid concern, unfortunately. Sigh.
Cheers,
Ben.
--
Ben Laurie |Phone: +44 (181) 994 6435|Apache Group member
Freelance Consultant |Fax: +44 (181) 994 6472|http://www.apache.org
and Technical Director|Email: ben@algroup.co.uk |Apache-SSL author
A.L. Digital Ltd, |http://www.algroup.co.uk/Apache-SSL
London, England. |"Apache: TDG" http://www.ora.com/catalog/apache