You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Rob Hartill <ro...@imdb.com> on 1997/01/13 21:38:47 UTC

[BUG]: "http_request.c breaks under Apache 1.1.2" on SunOS 4.x


Hi,

Thanks for the info. I'll pass it on to the right people.

cheers,
rob


On Mon, 13 Jan 1997 domatthe@cisco.com wrote:

> Submitter: domatthe@cisco.com
> Operating system: SunOS 4.x, version: 
> Version of Apache Used: 1.1.2
> Extra Modules used: N/A
> URL exhibiting problem: Any URL in the format /cgi-bin/PROGRAM/ARG1/ARG2 etc...
> 
> Symptoms:
> --
> Any CGI program passed with slash delimited arguments, to the new
> Apache 1.1.2 on an operating system that has ENOENT defined, will
> fail.  The issue is that stat(2v) will return ENOTDIR while
> recursively stating the path, when stat-ing cgi-bin/<program-name> (it
> is a file, not a directory)
> 
> This bug will break all server-side imagemaps, footers, and probably
> other heavily-used CGI programs.
> 
> For example:
> 
> stat(2v) /cgi-bin/imagemap/mapfile will recursively resolve as
> follows: cgi-bin is a dir, imagemap is an entity, but not a dir, so it
> cannot contain a file "mapfile".  stat(2v) returnes ENOTDIR. 
> 
> 
> Our fix: check if is_scriptaliased (defined in Apache's mod_cgi.c)
> returns 1 at the same time you're checking if errno == ENOENT,
> logically or'd
> 
> 
> Please let us know if this introduces any new security issues.
> 
> Here's a context diff for a patch by John Stewart (jns@cisco.com) and
> I (domatthe@cisco.com) which implements our fix:
> 
> 
> RCS file: RCS/http_request.c,v
> retrieving revision 1.1
> diff -c -r1.1 http_request.c
> *** http_request.c      1997/01/13 19:53:58     1.1
> --- http_request.c      1997/01/13 19:54:17
> ***************
> *** 180,186 ****
>             return OK;
>         }
>   #if defined(ENOENT)
> !       else if (errno == ENOENT) {
>   #else
>     #error Your system apparently does not define ENOENT.
>     #error Removal of these lines opens a security hole if protecting
> --- 180,186 ----
>             return OK;
>         }
>   #if defined(ENOENT)
> !       else if ((errno == ENOENT) || is_scriptaliased(r)) {
>   #else
>     #error Your system apparently does not define ENOENT.
>     #error Removal of these lines opens a security hole if protecting
> ***************
> *** 197,203 ****
>         } 
>   #if defined(ENOENT)
>         else {
> !           log_printf(r->server, "access to %s failed for client; unable to 
> determine if index file exists (stat() returned unexpected error)", 
> r->filename);
>             return FORBIDDEN;
>         }
>   #endif
> --- 197,203 ----
>         } 
>   #if defined(ENOENT)
>         else {
> !           log_printf(r->server, "access to %s failed for client; unable to 
> determine if index file exists (stat() returned unexpected error: %d)", 
> r->filename, errno);
>             return FORBIDDEN;
>         }
>   #endif
> 
> 
> 
> --
> 
> Backtrace:
> --
> 
> --

--
Rob Hartill.       Internet Movie Database Ltd.    http://www.imdb.com/