You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "William A. Rowe, Jr." <wr...@lnd.com> on 2000/06/23 21:53:29 UTC
FW: cvs commit: apache-1.3/src/os/win32 util_win32.c
1) would those in Win32 bash the heck out of this code and see
if you come up with anything this patch doesn't cover?
2) an earlier patch for the alloc.h -> ap_alloc.h may have broken
any compressed files that are in the actual tree. Netware
specifically, and anyone else affected, would you please review
your gziped build files for issues and submit the appropriate
patches?
3) who last built Win32? Does someone have a license of the old
Installer application that I can legitimately use, or who is
willing to roll with Win32 release themself? The only thing
that must change is the batch file, if we are to offer that
protection for building shortcuts. I'd commit the RunApache.bat
file to the tree if noone objects.
It looks like we are ready to roll. Security issue was reported
31 May, so I want to see us roll and release before 30 June.
Are there any further OS390, Netware, or other top issues to fix
for the 1.3.13 release?
Bill
The borland build was never a showstopper... I don't want to hold
for it, and some small fixes anticipate much of what is needed for
them to be able to compile. But it isn't supported yet.
> -----Original Message-----
> From: wrowe@locus.apache.org [mailto:wrowe@locus.apache.org]
> Sent: Friday, June 23, 2000 2:45 PM
> To: apache-1.3-cvs@apache.org
> Subject: cvs commit: apache-1.3/src/os/win32 util_win32.c
>
>
> wrowe 00/06/23 12:44:32
>
> Modified: . STATUS
> src CHANGES
> src/os/win32 util_win32.c
> Log:
> This incorporates Allen's fix into a broader set of
> potential Win32
> security holes. With that I believe Marc's concerns are
> addressed, as
> the hold appears to be very Win32 specific.
>
> Revision Changes Path
> 1.830 +19 -14 apache-1.3/STATUS
>
> Index: STATUS
> ===================================================================
> RCS file: /home/cvs/apache-1.3/STATUS,v
> retrieving revision 1.829
> retrieving revision 1.830
> diff -u -r1.829 -r1.830
> --- STATUS 2000/06/17 07:02:04 1.829
> +++ STATUS 2000/06/23 19:44:26 1.830
> @@ -1,9 +1,9 @@
> 1.3 STATUS:
> - Last modified at [$Date: 2000/06/17 07:02:04 $]
> + Last modified at [$Date: 2000/06/23 19:44:26 $]
>
> Release:
>
> - 1.3.13-dev: In development - targeted to freeze June 15th?
> + 1.3.13-dev: In development - ready to freeze?
> 1.3.12: Tagged and rolled Feb. 23, 2000. Released and
> announced on the 25th.
> 1.3.11: Tagged and rolled Jan. 19, 2000. Released and
> @@ -25,16 +25,14 @@
>
> RELEASE SHOWSTOPPERS:
>
> - * Close the security hole in stat() by testing for
> anything other
> - than conventional file-not-found,
> permission-denied errors and
> - rejecting the request then and there. By rights,
> all of these
> - cases aught to be Not Found, not Permission
> Denied, or maybe 500?
> + * Add a simple Win32 hold console open patch (wait for close or
> + the ESC key, with a nice message) if the server died a
> + bad death (non-zero exit code) in console mode. At the
> + moment the fix on the table is shelling to %comspec% /k
> + RunApache.bat that will exit if apache.exe
> succeeds, but leave
> + the console open on error. This allows users to
> read the error,
> + type logs and edit config files as necessary.
>
> - * Windows install script review/revision?
> - Need to play with a wrapper .bat file for the user
> icons, so the
> - console don't close when Apache exits with an error.
> - - Daniel S. Reichenbach is cooking something up.
> -
> RELEASE NON-SHOWSTOPPERS BUT WOULD BE REAL NICE TO WRAP THESE UP:
>
> * long pathnames with many components and no AllowOverride None
> @@ -385,12 +383,19 @@
>
> In progress:
>
> + * Windows install script review/revision?
> + - Daniel S. Reichenbach is cooking something up.
> +
> * Ben's ASP work... All agree it sounds cool.
>
> - * DDA's adding a tray application to the Windoze
> version for ease of
> + * Adding a tray application to the Windoze version for ease of
> status/management. (PR3594, PR4873)
> - <01...@caravan.individual.com>
> - <01...@caravan.individual.com>
> + DDA's <01...@caravan.individual.com>
> + DDA's <01...@caravan.individual.com>
> + There is no code here, only concept. Noone has
> implemented a pure
> + C language WinAPI (no MFC) multiple-services aware
> taskbar app for
> + both WinNT and Win95. Open to anyone proposing
> something complete.
> + If it comes between releases, add it to contrib right away!
> Status: Ken +1, Sameer +1, Martin +1, Ben +1 (as long as
> we get a single executable)
> Paul: No like Win95 specific stuff
>
>
>
> 1.1561 +6 -1 apache-1.3/src/CHANGES
>
> Index: CHANGES
> ===================================================================
> RCS file: /home/cvs/apache-1.3/src/CHANGES,v
> retrieving revision 1.1560
> retrieving revision 1.1561
> diff -u -r1.1560 -r1.1561
> --- CHANGES 2000/06/19 20:36:32 1.1560
> +++ CHANGES 2000/06/23 19:44:28 1.1561
> @@ -1,5 +1,10 @@
> Changes with Apache 1.3.13
>
> + *) Expand Win32 protection for pathname length, to
> provide protection
> + from future potential bugs such as that which caused
> directory index
> + to be displayed rather than returning an error.
> + [William Rowe, Allan Edwards <ak...@raleigh.ibm.com>]
> +
> *) USE_SYSVSEM_SERIALIZED_ACCEPT locking on OS/390
> [Ovies Brabson]
>
> @@ -7,7 +12,7 @@
> helper apps that invoke Apache.exe without a console.
> Recognize that
> we are running NT, and use the
> STARTF_FORCEOFFFEEDBACK flag to be
> sure that the SCM has invoked the process. [William Rowe,
> - Jim Patterson <ji...@ncf.ca>, Kevin Kiley,
> TOKILEY@aol.com]
> + Jim Patterson <ji...@ncf.ca>, Kevin Kiley
> <TO...@aol.com>]
>
> *) Export from Win32 the ap_start_shutdown and
> ap_start_restart symbols
> for modules and executables dynamically linked to the core.
>
>
>
> 1.36 +5 -2 apache-1.3/src/os/win32/util_win32.c
>
> Index: util_win32.c
> ===================================================================
> RCS file: /home/cvs/apache-1.3/src/os/win32/util_win32.c,v
> retrieving revision 1.35
> retrieving revision 1.36
> diff -u -r1.35 -r1.36
> --- util_win32.c 2000/06/22 22:57:31 1.35
> +++ util_win32.c 2000/06/23 19:44:31 1.36
> @@ -288,8 +288,9 @@
> API_EXPORT(int) os_stat(const char *szPath, struct stat *pStat)
> {
> int n;
> + int len = strlen(szPath);
>
> - if (strlen(szPath) == 0) {
> + if ((len == 0) || (len >= MAX_PATH)) {
> return -1;
> }
>
> @@ -298,7 +299,6 @@
> char *s;
> int nSlashes = 0;
>
> - ap_assert(strlen(szPath) < _MAX_PATH);
> strcpy(buf, szPath);
> for (s = buf; *s; ++s) {
> if (*s == '/') {
> @@ -308,6 +308,9 @@
> }
> /* then we need to add one more to get \\machine\share\ */
> if (nSlashes == 3) {
> + if (++len >= MAX_PATH) {
> + return -1;
> + }
> *s++ = '\\';
> }
> *s = '\0';
>
>
>
>
RE: cvs commit: apache-1.3/src/os/win32 util_win32.c
Posted by Andrew Braund <ab...@mail.com>.
> -----Original Message-----
> From: William A. Rowe, Jr. [mailto:wrowe@lnd.com]
> Sent: Saturday, 24 June 2000 5:23
> To: new-httpd@apache.org
> Subject: FW: cvs commit: apache-1.3/src/os/win32 util_win32.c
>
> 1) would those in Win32 bash the heck out of this code and see
> if you come up with anything this patch doesn't cover?
>
I have retested this on apache-1.3_20000623221201.tar.gz
Both Win95(A) and NT4 SP6a give the same results.
DocumentRoot "C:/MailDirector/htdocs"
<Directory "C:/MailDirector/htdocs">
Options FollowSymLinks MultiViews Includes Indexes
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.1 192.168.0.0/255.255.0.0
</Directory>
index.shtml test page was;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE>Home Page</TITLE>
</HEAD>
<BODY>
Some text.<br>
<IMG SRC="apache_pb.gif" NAME="Graphic1" ALIGN="middle" WIDTH=259
HEIGHT=32 BORDER=0>
<IMG SRC="php4zend-small-white.gif" NAME="PHP Graphic" ALIGN="middle"
WIDTH=143 HEIGHT=65 BORDER=0>
</BODY>
</HTML>
If I try
http://192.168.0.30 plus 1-213 '/' characters;
Text was displayed and both images (Normal) ie
Some text.
ApacheImage PHP4Image
http://192.168.0.30 plus 214-224 '/' characters;
Text was displayed but only the first (Apache) image ie;
Some text.
ApacheImage X
http://192.168.0.30 plus 225 or 226 '/' characters;
Text was displayed but no images ie;
Some text.
X X
http://192.168.0.30 plus 227-272 '/' characters;
gives forbidden message ie;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>403 Forbidden</TITLE>
</HEAD><BODY>
<H1>Forbidden</H1>
You don't have permission to access
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
///////////
on this server.<P>
<HR>
<ADDRESS>Apache/1.3.13-dev-apache-1.3_20000623221201.tar.gz Server at <A
HREF="mailto:abraund_news@mail.com">192.168.0.30</A> Port 80</ADDRESS>
</BODY></HTML>
Regards
Andrew Braund