You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2001/08/23 23:56:36 UTC
cvs commit: httpd-2.0/server core.c request.c
wrowe 01/08/23 14:56:36
Modified: server core.c request.c
Log:
Start with the presumption that canonical_filename is not likely to be set.
Therefore we will canonicalize it when it doesn't match filename.
The next optimization should take the path common to canonical_filename
and filename, and start merging filename from there for canonicalization.
Revision Changes Path
1.39 +1 -0 httpd-2.0/server/core.c
Index: core.c
===================================================================
RCS file: /home/cvs/httpd-2.0/server/core.c,v
retrieving revision 1.38
retrieving revision 1.39
diff -u -r1.38 -r1.39
--- core.c 2001/08/23 19:15:13 1.38
+++ core.c 2001/08/23 21:56:36 1.39
@@ -1230,6 +1230,7 @@
ap_log_perror(APLOG_MARK, APLOG_STARTUP | APLOG_NOERRNO, 0, cmd->pool,
"Warning: DocumentRoot [%s] does not exist",
arg);
+ conf->ap_document_root = arg;
}
else {
return "DocumentRoot must be a directory";
1.27 +29 -10 httpd-2.0/server/request.c
Index: request.c
===================================================================
RCS file: /home/cvs/httpd-2.0/server/request.c,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -r1.26 -r1.27
--- request.c 2001/08/23 21:21:17 1.26
+++ request.c 2001/08/23 21:56:36 1.27
@@ -476,22 +476,41 @@
* denied. This is very cpu/fs intensive, we need to finish
* auditing, and remove the paranoia trigger.
*/
+ if (r->filename == r->canonical_filename)
#ifdef NO_LONGER_PARANOID
- test_filename = apr_pstrdup(r->pool, r->filename);
+ test_filename = apr_pstrdup(r->pool, r->filename);
#else
- if (apr_filepath_merge(&test_filename, "", r->filename,
- APR_FILEPATH_NOTRELATIVE | APR_FILEPATH_TRUENAME,
- r->pool) != APR_SUCCESS
- || strcmp(test_filename, r->filename) != 0) {
- ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
- "FORBIDDEN; Filepath: %s is not the canonical %s",
- r->filename, test_filename);
- return HTTP_FORBIDDEN;
+ {
+ if (apr_filepath_merge(&test_filename, "", r->filename,
+ APR_FILEPATH_NOTRELATIVE | APR_FILEPATH_TRUENAME,
+ r->pool) != APR_SUCCESS
+ || strcmp(test_filename, r->filename) != 0) {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
+ "Module bug? Filepath: %s is not the canonical %s",
+ r->filename, test_filename);
+ return HTTP_FORBIDDEN;
+ }
}
#endif
+ else {
+ /* Apparently, somebody didn't know to update r->canonical_filename
+ * which is lucky, since they didn't canonicalize r->filename either.
+ */
+ if (apr_filepath_merge(&test_filename, NULL, r->filename,
+ APR_FILEPATH_NOTRELATIVE | APR_FILEPATH_TRUENAME,
+ r->pool) != APR_SUCCESS) {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
+ "Module bug? Filepath: %s is not an absolute path",
+ r->filename);
+ return HTTP_FORBIDDEN;
+ }
+ if (strcmp(r->filename, test_filename) != 0)
+ r->filename = apr_pstrdup(test_filename);
+ r->canonical_filename = r->test_filename;
+ }
+
num_dirs = ap_count_dirs(test_filename);
- /* XXX This needs to be rolled into APR: */
if ((res = check_safe_file(r))) {
return res;
}