You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by fa...@locus.apache.org on 2000/10/18 06:48:35 UTC

cvs commit: apache-2.0/src/main http_vhost.c

fanf        00/10/17 21:48:35

  Modified:    src      CHANGES
               src/main http_vhost.c
  Log:
  Tighten up the syntax checking of Host: headers to fix a
  security bug in some mass virtual hosting configurations
  that can allow a remote attacker to retrieve some files
  on the system that should be inaccessible. The problem
  occured with requests including the line "Host: ..." --
  the last dot is stripped and the remaining ".." then
  reveals a parent directory.
  
  Reported by: Peter Christoffersen <pc...@mindpass.com>
  Message-ID: <8q...@news.inet.tele.dk>
  Newsgroups: comp.infosystems.www.servers.unix
  
  Revision  Changes    Path
  1.280     +6 -0      apache-2.0/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/apache-2.0/src/CHANGES,v
  retrieving revision 1.279
  retrieving revision 1.280
  diff -u -u -r1.279 -r1.280
  --- CHANGES	2000/10/17 21:53:41	1.279
  +++ CHANGES	2000/10/18 04:48:34	1.280
  @@ -1,4 +1,10 @@
   Changes with Apache 2.0a8
  +
  +  *) Tighten up the syntax checking of Host: headers to fix a
  +     security bug in some mass virtual hosting configurations
  +     that can allow a remote attacker to retrieve some files
  +     on the system that should be inaccessible. [Tony Finch]
  +
     *) Add a pool bucket type.  This bucket is used for data allocated out
        of a pool.  If the pool is cleaned before the bucket is destroyed, then
        the data is converted to a heap bucket, allowing it to survive the
  
  
  
  1.29      +8 -1      apache-2.0/src/main/http_vhost.c
  
  Index: http_vhost.c
  ===================================================================
  RCS file: /home/cvs/apache-2.0/src/main/http_vhost.c,v
  retrieving revision 1.28
  retrieving revision 1.29
  diff -u -u -r1.28 -r1.29
  --- http_vhost.c	2000/10/16 06:04:52	1.28
  +++ http_vhost.c	2000/10/18 04:48:34	1.29
  @@ -714,7 +714,14 @@
       src = r->hostname;
       dst = host;
       while (*src) {
  -	if (!apr_isalnum(*src) && *src != '.' && *src != '-') {
  +	if (!apr_isalnum(*src) && *src != '-') {
  +	    if (*src == '.') {
  +		*dst++ = *src++;
  +		if (*src == '.')
  +		    goto bad;
  +		else
  +		    continue;
  +	    }
   	    if (*src == ':')
   		break;
   	    else