You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Dean Gaudet <dg...@arctic.org> on 1997/09/02 19:28:50 UTC

Re: Repost: [BUG] PR#1031: ErrorDocument with type-maps


On Wed, 27 Aug 1997, Lars Eilebrecht wrote:

> Any ideas why ErrorDocuments to .var files are broken?

Did it ever "work"?

Dean

Re: Repost: [BUG] PR#1031: ErrorDocument with type-maps

Posted by Lars Eilebrecht <La...@unix-ag.org>.
According to Dean Gaudet:

> > Any ideas why ErrorDocuments to .var files are broken?
>  
>  Did it ever "work"?

Probably not. I tried 1.2.1, 1.2.4 and 1.3a2-dev.
MultiViews work, but no .var files.


ciao...
--
Lars Eilebrecht                       - If everything is coming your way,
sfx@unix-ag.org                         - then you're in the wrong lane.
http://www.si.unix-ag.org/~sfx/

Re: Repost: [BUG] PR#1031: ErrorDocument with type-maps

Posted by Dean Gaudet <dg...@arctic.org>.
Ah ok now this makes sense.  Well, removing the r->status check definately
defeats the purpose of that patch.  It is expecting to check the status of
the subrequest ... not the main request.  So (a) sounds like the more
appropriate solution.  I haven't considered the side-effects of (a) yet
though ...

Dean

On Wed, 3 Sep 1997, Paul Sutton wrote:

> On Tue, 2 Sep 1997, Dean Gaudet wrote:
> > On Wed, 27 Aug 1997, Lars Eilebrecht wrote:
> > 
> > > Any ideas why ErrorDocuments to .var files are broken?
> > 
> > Did it ever "work"?
> 
> Yeah, it worked prior to version 1.43 of mod_negotiation.c. It stopped
> with the patch (below) associated with the log message: 
> 
> date: 1997/06/24 03:03:49;  author: dgaudet;  state: Exp;  lines: +9 -6
>   Fix a few security problems.  Avoid problems with pipes, sockets, etc.
>   in the filesystem.  Use sub_req_lookup_file for various functions that
>   open ancillary files, so that they have to pass the symlink tests.
>   Also disallow slashes in HeaderName and ReadmeName to avoid
>   ../../../hacks.o
> 
> The problem is that read_type_map() now checks to see if the status of the
> request in progress is not HTTP_OK and if it is not, returns that status.
> Unfortunately when an error document starts it inherits the main
> document's error code (e.g. HTTP_NOT_FOUND) in
> internal_internal_redirect(). 
> 
> Two possible fixes are 
> 
>  a. get send_error_response() to reset r->status to HTTP_OK on the
>     subrequest
>  b. remove the check for r->status in read_type_map().
> 
> Both of these are likely to have security implications though.
> 
> //pcs
> 
> Index: mod_negotiation.c
> ===================================================================
> RCS file: /export/home/cvs/apachen/src/modules/standard/mod_negotiation.c,v
> retrieving revision 1.42
> retrieving revision 1.43
> diff -u -r1.42 -r1.43
> --- mod_negotiation.c	1997/06/17 00:09:14	1.42
> +++ mod_negotiation.c	1997/06/24 03:03:49	1.43
> @@ -645,17 +645,20 @@
>      return cp;
>  }
>  
> -int read_type_map (negotiation_state *neg, char *map_name)
> +static int read_type_map (negotiation_state *neg, request_rec *rr)
>  {
>      request_rec *r = neg->r;
> -    FILE *map = pfopen (neg->pool, map_name, "r");
> -
> +    FILE *map;
>      char buffer[MAX_STRING_LEN];
>      enum header_state hstate;
>      struct var_rec mime_info;
>      
> +    if (rr->status != HTTP_OK) {
> +	return rr->status;
> +    }
> +    map = pfopen (neg->pool, rr->filename, "r");
>      if (map == NULL) {
> -        log_reason("cannot access type map file", map_name, r);
> +        log_reason("cannot access type map file", rr->filename, r);
>  	return FORBIDDEN;
>      }
>  
> @@ -783,7 +786,7 @@
>  	    closedir(dirp);
>  	    
>  	    neg->avail_vars->nelts = 0;
> -	    return read_type_map (neg, sub_req->filename);
> +	    return read_type_map (neg, sub_req);
>  	}
>  	
>  	/* Have reasonable variant --- gather notes.
> @@ -1853,7 +1856,7 @@
>      
>      char *udir;
>      
> -    if ((res = read_type_map (neg, r->filename))) return res;
> +    if ((res = read_type_map (neg, r))) return res;
>      
>      maybe_add_default_encodings(neg, 0);
>      
> 
> 
>

Re: Repost: [BUG] PR#1031: ErrorDocument with type-maps

Posted by Paul Sutton <pa...@ukweb.com>.
On Tue, 2 Sep 1997, Dean Gaudet wrote:
> On Wed, 27 Aug 1997, Lars Eilebrecht wrote:
> 
> > Any ideas why ErrorDocuments to .var files are broken?
> 
> Did it ever "work"?

Yeah, it worked prior to version 1.43 of mod_negotiation.c. It stopped
with the patch (below) associated with the log message: 

date: 1997/06/24 03:03:49;  author: dgaudet;  state: Exp;  lines: +9 -6
  Fix a few security problems.  Avoid problems with pipes, sockets, etc.
  in the filesystem.  Use sub_req_lookup_file for various functions that
  open ancillary files, so that they have to pass the symlink tests.
  Also disallow slashes in HeaderName and ReadmeName to avoid
  ../../../hacks.o

The problem is that read_type_map() now checks to see if the status of the
request in progress is not HTTP_OK and if it is not, returns that status.
Unfortunately when an error document starts it inherits the main
document's error code (e.g. HTTP_NOT_FOUND) in
internal_internal_redirect(). 

Two possible fixes are 

 a. get send_error_response() to reset r->status to HTTP_OK on the
    subrequest
 b. remove the check for r->status in read_type_map().

Both of these are likely to have security implications though.

//pcs

Index: mod_negotiation.c
===================================================================
RCS file: /export/home/cvs/apachen/src/modules/standard/mod_negotiation.c,v
retrieving revision 1.42
retrieving revision 1.43
diff -u -r1.42 -r1.43
--- mod_negotiation.c	1997/06/17 00:09:14	1.42
+++ mod_negotiation.c	1997/06/24 03:03:49	1.43
@@ -645,17 +645,20 @@
     return cp;
 }
 
-int read_type_map (negotiation_state *neg, char *map_name)
+static int read_type_map (negotiation_state *neg, request_rec *rr)
 {
     request_rec *r = neg->r;
-    FILE *map = pfopen (neg->pool, map_name, "r");
-
+    FILE *map;
     char buffer[MAX_STRING_LEN];
     enum header_state hstate;
     struct var_rec mime_info;
     
+    if (rr->status != HTTP_OK) {
+	return rr->status;
+    }
+    map = pfopen (neg->pool, rr->filename, "r");
     if (map == NULL) {
-        log_reason("cannot access type map file", map_name, r);
+        log_reason("cannot access type map file", rr->filename, r);
 	return FORBIDDEN;
     }
 
@@ -783,7 +786,7 @@
 	    closedir(dirp);
 	    
 	    neg->avail_vars->nelts = 0;
-	    return read_type_map (neg, sub_req->filename);
+	    return read_type_map (neg, sub_req);
 	}
 	
 	/* Have reasonable variant --- gather notes.
@@ -1853,7 +1856,7 @@
     
     char *udir;
     
-    if ((res = read_type_map (neg, r->filename))) return res;
+    if ((res = read_type_map (neg, r))) return res;
     
     maybe_add_default_encodings(neg, 0);