You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Stipe Tolj <to...@wapme-systems.de> on 2004/02/04 17:48:48 UTC
[SECURITY-PATCH] cygwin: Apache 1.3.29 and below directory traversal
vulnerability
Hi list,
attached patch fixes the bug# 26152 as described in
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=26152
Main purpose was to handle backslashes in the URI to avoid misleading
interpretation via the underlying cygwin OS layer, which allows
backslashes as directory delimiters.
Therefore src/os/cygwin/util_cygwin.c implements it's own
ap_os_canonical_filename() routine to map backslashes to slashes and
relly on the afterlying directory_walk() and file_walk() security
mechanisms.
Please review and apply to cvs.
I will update the binary apache 1.3.29-x distribution package for the
cygwin net distribution with this fix.
Stipe
mailto:tolj@wapme-systems.de
-------------------------------------------------------------------
Wapme Systems AG
Münsterstr. 248
40470 Düsseldorf, NRW, Germany
phone: +49.211.74845.0
fax: +49.211.74845.299
mailto:info@wapme-systems.de
http://www.wapme-systems.de/
-------------------------------------------------------------------
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.2 (Cygwin)
mIsEP6mcYwEEAMDnUiUwrbb+xwTFWN6TxF2+XZu7/alwJMeCwMBRvXtPZqfjpPhS
OkBpU0F4TrVuugz1HINTSaJTYq10AzDQXp5NkyWgckqW79nPAWuOX0dicbJk+cN2
nM2TI4KaxUDe6u8hghNEnH/i2lXsUu9apnP/iixzV81VC2je3uc9hZpnAAYptEVT
dGlwZSBUb2xqIChUZWNobm9sb2d5IENlbnRlciAmIFJlc2VhcmNoIExhYikgPHRv
bGpAd2FwbWUtc3lzdGVtcy5kZT6ItAQTAQIAHgUCP6mcYwIbAwYLCQgHAwIDFQID
AxYCAQIeAQIXgAAKCRABV0w1BqPYRuSqA/wPzsQxao2YePENCtgRTrO86U6zg3sl
OcS6CJFI4FZP5h/xD3GRsNH1+MPSvZlomDdpFnr547DGz/Kq9MXuQwVvlVig5yWZ
K5dtKp1r5YLhxJQBhfirZbRFFnYmf19f18J8OoS28tuFVftDl1AIwJS3HLyBTv6H
g2HyLAEKQIp30Q==
=aYCI
-----END PGP PUBLIC KEY BLOCK-----
Re: [SECURITY-PATCH] cygwin: Apache 1.3.29 and below directory traversal vulnerability
Posted by Martin Kraemer <Ma...@fujitsu-siemens.com>.
On Wed, Feb 04, 2004 at 05:48:48PM +0100, Stipe Tolj wrote:
> Hi list,
>
> attached patch fixes the bug# 26152 as described in
> http://nagoya.apache.org/bugzilla/show_bug.cgi?id=26152
>
> Main purpose was to handle backslashes in the URI to avoid misleading
> interpretation via the underlying cygwin OS layer, which allows
> backslashes as directory delimiters.
>
> Therefore src/os/cygwin/util_cygwin.c implements it's own
> ap_os_canonical_filename() routine to map backslashes to slashes and
> relly on the afterlying directory_walk() and file_walk() security
> mechanisms.
Thanks (but please send the diffs in a registered plaintext format,
e.g. text/plain, not application/x-unknown-content-type-diff_auto_file)
+API_EXPORT(char *) ap_os_canonical_filename(pool *pPool, const char *szFile)
+{
+ char *buf;
+ char buf2[MAX_STRING_LEN];
+ int rc, len;
+ char *pos;
+
+ len = strlen(szFile);
+ buf = ap_pstrndup(pPool, szFile, len);
+
+ /* Switch backslashes to forward */
+ for (pos=buf; *pos; pos++)
+ if (*pos == '\\')
+ *pos = '/';
+
+ return ap_pstrdup(pPool, buf);
IMO this additional dupping is not needed; just "return buf;"
+}
Martin
--
<Ma...@Fujitsu-Siemens.com> | Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730 Munich, Germany
Re: [SECURITY-PATCH] cygwin: Apache 1.3.29 and below directory
traversal vulnerability
Posted by Stipe Tolj <to...@wapme-systems.de>.
"William A. Rowe, Jr." wrote:
>
> At 05:45 PM 2/4/2004, Roy T. Fielding wrote:
> >-1. Reject the request with a 400 error instead.
>
> ++1 to Roy's suggestion.
>
> I believe that Win32 may accept the back slash (with the changes proposed
> for the cygwin port.) However ... here's the trick ... the cygwin httpd port
> is emulating Unix, so it should behave as a unix port.
which means actually what? ... I didn't get the point. Maybe it's too
late here... ;)
Stipe
mailto:tolj@wapme-systems.de
-------------------------------------------------------------------
Wapme Systems AG
Münsterstr. 248
40470 Düsseldorf, NRW, Germany
phone: +49.211.74845.0
fax: +49.211.74845.299
mailto:info@wapme-systems.de
http://www.wapme-systems.de/
-------------------------------------------------------------------
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.2 (Cygwin)
mIsEP6mcYwEEAMDnUiUwrbb+xwTFWN6TxF2+XZu7/alwJMeCwMBRvXtPZqfjpPhS
OkBpU0F4TrVuugz1HINTSaJTYq10AzDQXp5NkyWgckqW79nPAWuOX0dicbJk+cN2
nM2TI4KaxUDe6u8hghNEnH/i2lXsUu9apnP/iixzV81VC2je3uc9hZpnAAYptEVT
dGlwZSBUb2xqIChUZWNobm9sb2d5IENlbnRlciAmIFJlc2VhcmNoIExhYikgPHRv
bGpAd2FwbWUtc3lzdGVtcy5kZT6ItAQTAQIAHgUCP6mcYwIbAwYLCQgHAwIDFQID
AxYCAQIeAQIXgAAKCRABV0w1BqPYRuSqA/wPzsQxao2YePENCtgRTrO86U6zg3sl
OcS6CJFI4FZP5h/xD3GRsNH1+MPSvZlomDdpFnr547DGz/Kq9MXuQwVvlVig5yWZ
K5dtKp1r5YLhxJQBhfirZbRFFnYmf19f18J8OoS28tuFVftDl1AIwJS3HLyBTv6H
g2HyLAEKQIp30Q==
=aYCI
-----END PGP PUBLIC KEY BLOCK-----
Re: [SECURITY-PATCH] cygwin: Apache 1.3.29 and below directory
traversal vulnerability
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
At 05:45 PM 2/4/2004, Roy T. Fielding wrote:
>-1. Reject the request with a 400 error instead.
++1 to Roy's suggestion.
I believe that Win32 may accept the back slash (with the changes proposed
for the cygwin port.) However ... here's the trick ... the cygwin httpd port
is emulating Unix, so it should behave as a unix port.
Bill
Re: [SECURITY-PATCH] cygwin: Apache 1.3.29 and below directory
traversal vulnerability
Posted by Stipe Tolj <to...@wapme-systems.de>.
Stipe Tolj wrote:
>
> Hi Roy,
>
> "Roy T. Fielding" wrote
> >
> > -1. Reject the request with a 400 error instead.
>
> actually a standard (apache layout) install (from source) on a linux
> box with the URI described in the bug report gives also a 404, and
> *not* a 400 in response.
>
> So we get the same behaviour on cygwin as on linux?! Why is the
> behaviour on cygwin then "more wrong"?
which does not mean that I'm veto'ing the -1 in terms of HTTP response
code semantics. That's ok for me and actually I would be +1 for
responding 400 to a "non-valid, abussing" URI. But just to mention
that the linux install did the same. So either we should have it
changed generically, but not specifically for cygwin IMO.
Stipe
mailto:tolj@wapme-systems.de
-------------------------------------------------------------------
Wapme Systems AG
Münsterstr. 248
40470 Düsseldorf, NRW, Germany
phone: +49.211.74845.0
fax: +49.211.74845.299
mailto:info@wapme-systems.de
http://www.wapme-systems.de/
-------------------------------------------------------------------
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.2 (Cygwin)
mIsEP6mcYwEEAMDnUiUwrbb+xwTFWN6TxF2+XZu7/alwJMeCwMBRvXtPZqfjpPhS
OkBpU0F4TrVuugz1HINTSaJTYq10AzDQXp5NkyWgckqW79nPAWuOX0dicbJk+cN2
nM2TI4KaxUDe6u8hghNEnH/i2lXsUu9apnP/iixzV81VC2je3uc9hZpnAAYptEVT
dGlwZSBUb2xqIChUZWNobm9sb2d5IENlbnRlciAmIFJlc2VhcmNoIExhYikgPHRv
bGpAd2FwbWUtc3lzdGVtcy5kZT6ItAQTAQIAHgUCP6mcYwIbAwYLCQgHAwIDFQID
AxYCAQIeAQIXgAAKCRABV0w1BqPYRuSqA/wPzsQxao2YePENCtgRTrO86U6zg3sl
OcS6CJFI4FZP5h/xD3GRsNH1+MPSvZlomDdpFnr547DGz/Kq9MXuQwVvlVig5yWZ
K5dtKp1r5YLhxJQBhfirZbRFFnYmf19f18J8OoS28tuFVftDl1AIwJS3HLyBTv6H
g2HyLAEKQIp30Q==
=aYCI
-----END PGP PUBLIC KEY BLOCK-----
Re: [SECURITY-PATCH] cygwin: Apache 1.3.29 and below directory
traversal vulnerability
Posted by Stipe Tolj <to...@wapme-systems.de>.
Hi Roy,
"Roy T. Fielding" wrote
>
> -1. Reject the request with a 400 error instead.
actually a standard (apache layout) install (from source) on a linux
box with the URI described in the bug report gives also a 404, and
*not* a 400 in response.
So we get the same behaviour on cygwin as on linux?! Why is the
behaviour on cygwin then "more wrong"?
Stipe
mailto:tolj@wapme-systems.de
-------------------------------------------------------------------
Wapme Systems AG
Münsterstr. 248
40470 Düsseldorf, NRW, Germany
phone: +49.211.74845.0
fax: +49.211.74845.299
mailto:info@wapme-systems.de
http://www.wapme-systems.de/
-------------------------------------------------------------------
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.2 (Cygwin)
mIsEP6mcYwEEAMDnUiUwrbb+xwTFWN6TxF2+XZu7/alwJMeCwMBRvXtPZqfjpPhS
OkBpU0F4TrVuugz1HINTSaJTYq10AzDQXp5NkyWgckqW79nPAWuOX0dicbJk+cN2
nM2TI4KaxUDe6u8hghNEnH/i2lXsUu9apnP/iixzV81VC2je3uc9hZpnAAYptEVT
dGlwZSBUb2xqIChUZWNobm9sb2d5IENlbnRlciAmIFJlc2VhcmNoIExhYikgPHRv
bGpAd2FwbWUtc3lzdGVtcy5kZT6ItAQTAQIAHgUCP6mcYwIbAwYLCQgHAwIDFQID
AxYCAQIeAQIXgAAKCRABV0w1BqPYRuSqA/wPzsQxao2YePENCtgRTrO86U6zg3sl
OcS6CJFI4FZP5h/xD3GRsNH1+MPSvZlomDdpFnr547DGz/Kq9MXuQwVvlVig5yWZ
K5dtKp1r5YLhxJQBhfirZbRFFnYmf19f18J8OoS28tuFVftDl1AIwJS3HLyBTv6H
g2HyLAEKQIp30Q==
=aYCI
-----END PGP PUBLIC KEY BLOCK-----
Re: [SECURITY-PATCH] cygwin: Apache 1.3.29 and below directory traversal vulnerability
Posted by "Roy T. Fielding" <fi...@gbiv.com>.
-1. Reject the request with a 400 error instead.
....Roy