You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by fa...@locus.apache.org on 2000/10/18 06:48:35 UTC
cvs commit: apache-2.0/src/main http_vhost.c
fanf 00/10/17 21:48:35
Modified: src CHANGES
src/main http_vhost.c
Log:
Tighten up the syntax checking of Host: headers to fix a
security bug in some mass virtual hosting configurations
that can allow a remote attacker to retrieve some files
on the system that should be inaccessible. The problem
occured with requests including the line "Host: ..." --
the last dot is stripped and the remaining ".." then
reveals a parent directory.
Reported by: Peter Christoffersen <pc...@mindpass.com>
Message-ID: <8q...@news.inet.tele.dk>
Newsgroups: comp.infosystems.www.servers.unix
Revision Changes Path
1.280 +6 -0 apache-2.0/src/CHANGES
Index: CHANGES
===================================================================
RCS file: /home/cvs/apache-2.0/src/CHANGES,v
retrieving revision 1.279
retrieving revision 1.280
diff -u -u -r1.279 -r1.280
--- CHANGES 2000/10/17 21:53:41 1.279
+++ CHANGES 2000/10/18 04:48:34 1.280
@@ -1,4 +1,10 @@
Changes with Apache 2.0a8
+
+ *) Tighten up the syntax checking of Host: headers to fix a
+ security bug in some mass virtual hosting configurations
+ that can allow a remote attacker to retrieve some files
+ on the system that should be inaccessible. [Tony Finch]
+
*) Add a pool bucket type. This bucket is used for data allocated out
of a pool. If the pool is cleaned before the bucket is destroyed, then
the data is converted to a heap bucket, allowing it to survive the
1.29 +8 -1 apache-2.0/src/main/http_vhost.c
Index: http_vhost.c
===================================================================
RCS file: /home/cvs/apache-2.0/src/main/http_vhost.c,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -u -r1.28 -r1.29
--- http_vhost.c 2000/10/16 06:04:52 1.28
+++ http_vhost.c 2000/10/18 04:48:34 1.29
@@ -714,7 +714,14 @@
src = r->hostname;
dst = host;
while (*src) {
- if (!apr_isalnum(*src) && *src != '.' && *src != '-') {
+ if (!apr_isalnum(*src) && *src != '-') {
+ if (*src == '.') {
+ *dst++ = *src++;
+ if (*src == '.')
+ goto bad;
+ else
+ continue;
+ }
if (*src == ':')
break;
else