You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Ben Laurie <be...@gonzo.ben.algroup.co.uk> on 1995/10/19 12:53:36 UTC

Re: Apache incompatibility

Does this deal with .. in the path? I'm not saying it doesn't, just wondering.

> 
> I've uploaded a patch for this:
> 
> 31_include.0.8.15.patch
> -----------------------
> 
> Subject: SSI #include file="/foo/bar" shouldn't work
> Affects: mod_include.c
> ChangeLog: Disallow includes of files not in the same directory as the
>            .shtml file.
> 
> *** mod_include.c.orig	Tue Oct 10 23:00:31 1995
> --- mod_include.c	Thu Oct 19 12:24:16 1995
> ***************
> *** 360,372 ****
>           if(!(tag_val = get_tag(r->pool, in, tag, MAX_STRING_LEN, 1)))
>               return 1;
>           if(!strcmp(tag,"file") || !strcmp (tag, "virtual")) {
> ! 	    request_rec *rr =
> ! 	        (tag[0] == 'f')?
> ! 		    sub_req_lookup_file (tag_val, r) :
> ! 		    sub_req_lookup_uri (tag_val, r);
>   	    char *error_fmt = NULL;
>   	    
> ! 	    if (rr->status != 200)
>   	        error_fmt = "unable to include %s in parsed file %s";
>   
>   	    if (!error_fmt && noexec && rr->content_type
> --- 360,378 ----
>           if(!(tag_val = get_tag(r->pool, in, tag, MAX_STRING_LEN, 1)))
>               return 1;
>           if(!strcmp(tag,"file") || !strcmp (tag, "virtual")) {
> ! 	    request_rec *rr=NULL;
>   	    char *error_fmt = NULL;
> + 
> + 	    if (tag[0] == 'f')
> + 	    { /* be safe; only files in this directory allowed */
> + 		if (strchr(tag_val, '/') != NULL)
> + 		    error_fmt = "unable to include file %s in parsed file %s";
> + 		else
> + 		    rr = sub_req_lookup_file (tag_val, r);
> + 	    } else
> + 		rr = sub_req_lookup_uri (tag_val, r);
>   	    
> ! 	    if (!error_fmt && rr->status != 200)
>   	        error_fmt = "unable to include %s in parsed file %s";
>   
>   	    if (!error_fmt && noexec && rr->content_type
> ***************
> *** 383,389 ****
>                   rprintf(r,"%s",error);
>               }            
>   
> ! 	    destroy_sub_req (rr);
>           } 
>           else if(!strcmp(tag,"done"))
>               return 0;
> --- 389,395 ----
>                   rprintf(r,"%s",error);
>               }            
>   
> ! 	    if (rr != NULL) destroy_sub_req (rr);
>           } 
>           else if(!strcmp(tag,"done"))
>               return 0;

-- 
Ben Laurie                  Phone: +44 (181) 994 6435
Freelance Consultant        Fax:   +44 (181) 994 6472
and Technical Director      Email: ben@algroup.co.uk
A.L. Digital Ltd,
London, England.