Re: [SECURITY-PATCH] cygwin: Apache 1.3.29 and below directory traversal vulnerability

[Martin Kraemer <Ma...@fujitsu-siemens.com>]

On Wed, Feb 04, 2004 at 05:48:48PM +0100, Stipe Tolj wrote:
> Hi list,
> 
> attached patch fixes the bug# 26152 as described in
> http://nagoya.apache.org/bugzilla/show_bug.cgi?id=26152
> 
> Main purpose was to handle backslashes in the URI to avoid misleading
> interpretation via the underlying cygwin OS layer, which allows
> backslashes as directory delimiters.
> 
> Therefore src/os/cygwin/util_cygwin.c implements it's own
> ap_os_canonical_filename() routine to map backslashes to slashes and
> relly on the afterlying directory_walk() and file_walk() security
> mechanisms.

Thanks (but please send the diffs in a registered plaintext format,
e.g. text/plain, not application/x-unknown-content-type-diff_auto_file)


+API_EXPORT(char *) ap_os_canonical_filename(pool *pPool, const char *szFile)
+{
+    char *buf;
+    char buf2[MAX_STRING_LEN];
+    int rc, len; 
+    char *pos;
+    
+    len = strlen(szFile);
+    buf = ap_pstrndup(pPool, szFile, len);
+
+    /* Switch backslashes to forward */
+    for (pos=buf; *pos; pos++)
+        if (*pos == '\\')
+            *pos = '/';
+    
+    return ap_pstrdup(pPool, buf);
IMO this additional dupping is not needed; just "return buf;"
+}

   Martin
-- 
<Ma...@Fujitsu-Siemens.com>         |     Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730  Munich,  Germany