You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Tom Parsoneault <to...@superserve.net> on 2001/11/15 18:11:47 UTC

mod_cgi/8765: adding ?x=y to suexec link causes it to fail

>Number:         8765
>Category:       mod_cgi
>Synopsis:       adding ?x=y to suexec link <a href='calendar.pl'> causes it to fail
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Thu Nov 15 09:20:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     tom@superserve.net
>Release:        Apache/2.0.16
>Organization:
apache
>Environment:
Linux 2.2.16
gcc-c++-2.96-69

[root@ns1 /root]# /apache2016/bin/httpd -V
Server version: Apache/2.0.16
Server built:   Nov 13 2001 05:24:07
Server's Module Magic Number: 20010224:1
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/threaded"
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6
 -D APR_USE_FCNTL_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D HTTPD_ROOT="/apache2016"
 -D SUEXEC_BIN="/apache2016/sbin/suexec"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"
>Description:
This is a link in a page generated by a perl script:
/secret/cgi/calendar/calendar.pl
works but
/secret/cgi/calendar/calendar.pl?vsSD=1&vsMonth=11&vsYear=2001
fails with a server internal error msg.
suexec_log has something like this when it works:
uid: (513/superserve) gid: (508/508) dir:(/home/superserve/httpd/./) cmd: cal
endar.pl
and something like this when it fails:
uid: (513/superserve) gid: (508/508) dir:(/home/superserve/httpd/./) cmd:

In ap_unix_create_privileged_process the line
newargs[3] = apr_pstrdup(p, progname);
 puts a null string into newargs[3], causing suexec to fail.

I hope this isn't happening because of me not fully understanding
how suexec works.. The apr_palloc call that pstrdup makes against
the pool p is what fails. Note that the returned pointer is NOT a
NULL, it points to an empty string. Looks like the memcpy (in
apr_pstrdup) is failing.. progname is always "calendar.pl"
Strange.. the pool p appears to be valid.
I'm not getting any seg faults or anything like that.. suexec just
fails to run because its cmd argument points to something it can't stat,
namely an empty string.

>How-To-Repeat:
This is a perl script from http://www.verysimple.com/scripts/organize.html
Install it suexec. click on the calendar and it will run. Click
on a day, or "show details" and it fails.
>Fix:
This is for demo only.. I doubt it would work multi-platform and it gobbles
stack, etc. etc. ... a malloc might also work on some platforms.. (I really
need to find out why pstrdup fails here) 

In os/unix/unixd.c: 
ap_unix_create_privileged_process(

 char txt[500];

Add the stuff in the "#if 1" block below the line:
newargs[3] = apr_pstrdup(p, progname);
  that fails:

#if 1   // tjp this fixes it
 strcpy( &txt[0], progname );
 newargs[3]=&txt[0];
#endif
>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <ap...@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]