You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Rob Hartill <ro...@imdb.com> on 1997/01/13 21:38:47 UTC
[BUG]: "http_request.c breaks under Apache 1.1.2" on SunOS 4.x
Hi,
Thanks for the info. I'll pass it on to the right people.
cheers,
rob
On Mon, 13 Jan 1997 domatthe@cisco.com wrote:
> Submitter: domatthe@cisco.com
> Operating system: SunOS 4.x, version:
> Version of Apache Used: 1.1.2
> Extra Modules used: N/A
> URL exhibiting problem: Any URL in the format /cgi-bin/PROGRAM/ARG1/ARG2 etc...
>
> Symptoms:
> --
> Any CGI program passed with slash delimited arguments, to the new
> Apache 1.1.2 on an operating system that has ENOENT defined, will
> fail. The issue is that stat(2v) will return ENOTDIR while
> recursively stating the path, when stat-ing cgi-bin/<program-name> (it
> is a file, not a directory)
>
> This bug will break all server-side imagemaps, footers, and probably
> other heavily-used CGI programs.
>
> For example:
>
> stat(2v) /cgi-bin/imagemap/mapfile will recursively resolve as
> follows: cgi-bin is a dir, imagemap is an entity, but not a dir, so it
> cannot contain a file "mapfile". stat(2v) returnes ENOTDIR.
>
>
> Our fix: check if is_scriptaliased (defined in Apache's mod_cgi.c)
> returns 1 at the same time you're checking if errno == ENOENT,
> logically or'd
>
>
> Please let us know if this introduces any new security issues.
>
> Here's a context diff for a patch by John Stewart (jns@cisco.com) and
> I (domatthe@cisco.com) which implements our fix:
>
>
> RCS file: RCS/http_request.c,v
> retrieving revision 1.1
> diff -c -r1.1 http_request.c
> *** http_request.c 1997/01/13 19:53:58 1.1
> --- http_request.c 1997/01/13 19:54:17
> ***************
> *** 180,186 ****
> return OK;
> }
> #if defined(ENOENT)
> ! else if (errno == ENOENT) {
> #else
> #error Your system apparently does not define ENOENT.
> #error Removal of these lines opens a security hole if protecting
> --- 180,186 ----
> return OK;
> }
> #if defined(ENOENT)
> ! else if ((errno == ENOENT) || is_scriptaliased(r)) {
> #else
> #error Your system apparently does not define ENOENT.
> #error Removal of these lines opens a security hole if protecting
> ***************
> *** 197,203 ****
> }
> #if defined(ENOENT)
> else {
> ! log_printf(r->server, "access to %s failed for client; unable to
> determine if index file exists (stat() returned unexpected error)",
> r->filename);
> return FORBIDDEN;
> }
> #endif
> --- 197,203 ----
> }
> #if defined(ENOENT)
> else {
> ! log_printf(r->server, "access to %s failed for client; unable to
> determine if index file exists (stat() returned unexpected error: %d)",
> r->filename, errno);
> return FORBIDDEN;
> }
> #endif
>
>
>
> --
>
> Backtrace:
> --
>
> --
--
Rob Hartill. Internet Movie Database Ltd. http://www.imdb.com/