You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Stipe Tolj <to...@wapme-systems.de> on 2004/02/04 17:48:48 UTC

[SECURITY-PATCH] cygwin: Apache 1.3.29 and below directory traversal vulnerability

Hi list,

attached patch fixes the bug# 26152 as described in
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=26152

Main purpose was to handle backslashes in the URI to avoid misleading
interpretation via the underlying cygwin OS layer, which allows
backslashes as directory delimiters.

Therefore src/os/cygwin/util_cygwin.c implements it's own
ap_os_canonical_filename() routine to map backslashes to slashes and
relly on the afterlying directory_walk() and file_walk() security
mechanisms.

Please review and apply to cvs.

I will update the binary apache 1.3.29-x distribution package for the
cygwin net distribution with this fix.

Stipe

mailto:tolj@wapme-systems.de
-------------------------------------------------------------------
Wapme Systems AG

Münsterstr. 248
40470 Düsseldorf, NRW, Germany

phone: +49.211.74845.0
fax: +49.211.74845.299

mailto:info@wapme-systems.de
http://www.wapme-systems.de/
-------------------------------------------------------------------

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.2 (Cygwin)

mIsEP6mcYwEEAMDnUiUwrbb+xwTFWN6TxF2+XZu7/alwJMeCwMBRvXtPZqfjpPhS
OkBpU0F4TrVuugz1HINTSaJTYq10AzDQXp5NkyWgckqW79nPAWuOX0dicbJk+cN2
nM2TI4KaxUDe6u8hghNEnH/i2lXsUu9apnP/iixzV81VC2je3uc9hZpnAAYptEVT
dGlwZSBUb2xqIChUZWNobm9sb2d5IENlbnRlciAmIFJlc2VhcmNoIExhYikgPHRv
bGpAd2FwbWUtc3lzdGVtcy5kZT6ItAQTAQIAHgUCP6mcYwIbAwYLCQgHAwIDFQID
AxYCAQIeAQIXgAAKCRABV0w1BqPYRuSqA/wPzsQxao2YePENCtgRTrO86U6zg3sl
OcS6CJFI4FZP5h/xD3GRsNH1+MPSvZlomDdpFnr547DGz/Kq9MXuQwVvlVig5yWZ
K5dtKp1r5YLhxJQBhfirZbRFFnYmf19f18J8OoS28tuFVftDl1AIwJS3HLyBTv6H
g2HyLAEKQIp30Q==
=aYCI
-----END PGP PUBLIC KEY BLOCK-----

Re: [SECURITY-PATCH] cygwin: Apache 1.3.29 and below directory traversal vulnerability

Posted by Martin Kraemer <Ma...@fujitsu-siemens.com>.

On Wed, Feb 04, 2004 at 05:48:48PM +0100, Stipe Tolj wrote:
> Hi list,
> 
> attached patch fixes the bug# 26152 as described in
> http://nagoya.apache.org/bugzilla/show_bug.cgi?id=26152
> 
> Main purpose was to handle backslashes in the URI to avoid misleading
> interpretation via the underlying cygwin OS layer, which allows
> backslashes as directory delimiters.
> 
> Therefore src/os/cygwin/util_cygwin.c implements it's own
> ap_os_canonical_filename() routine to map backslashes to slashes and
> relly on the afterlying directory_walk() and file_walk() security
> mechanisms.

Thanks (but please send the diffs in a registered plaintext format,
e.g. text/plain, not application/x-unknown-content-type-diff_auto_file)


+API_EXPORT(char *) ap_os_canonical_filename(pool *pPool, const char *szFile)
+{
+    char *buf;
+    char buf2[MAX_STRING_LEN];
+    int rc, len; 
+    char *pos;
+    
+    len = strlen(szFile);
+    buf = ap_pstrndup(pPool, szFile, len);
+
+    /* Switch backslashes to forward */
+    for (pos=buf; *pos; pos++)
+        if (*pos == '\\')
+            *pos = '/';
+    
+    return ap_pstrdup(pPool, buf);
IMO this additional dupping is not needed; just "return buf;"
+}

   Martin
-- 
<Ma...@Fujitsu-Siemens.com>         |     Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730  Munich,  Germany

Re: [SECURITY-PATCH] cygwin: Apache 1.3.29 and below directory traversal vulnerability

Posted by Stipe Tolj <to...@wapme-systems.de>.

"William A. Rowe, Jr." wrote:
> 
> At 05:45 PM 2/4/2004, Roy T. Fielding wrote:
> >-1.  Reject the request with a 400 error instead.
> 
> ++1 to Roy's suggestion.
> 
> I believe that Win32 may accept the back slash (with the changes proposed
> for the cygwin port.)  However ... here's the trick ... the cygwin httpd port
> is emulating Unix, so it should behave as a unix port.

which means actually what? ... I didn't get the point. Maybe it's too
late here... ;)

Stipe

mailto:tolj@wapme-systems.de
-------------------------------------------------------------------
Wapme Systems AG

Münsterstr. 248
40470 Düsseldorf, NRW, Germany

phone: +49.211.74845.0
fax: +49.211.74845.299

mailto:info@wapme-systems.de
http://www.wapme-systems.de/
-------------------------------------------------------------------

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.2 (Cygwin)

mIsEP6mcYwEEAMDnUiUwrbb+xwTFWN6TxF2+XZu7/alwJMeCwMBRvXtPZqfjpPhS
OkBpU0F4TrVuugz1HINTSaJTYq10AzDQXp5NkyWgckqW79nPAWuOX0dicbJk+cN2
nM2TI4KaxUDe6u8hghNEnH/i2lXsUu9apnP/iixzV81VC2je3uc9hZpnAAYptEVT
dGlwZSBUb2xqIChUZWNobm9sb2d5IENlbnRlciAmIFJlc2VhcmNoIExhYikgPHRv
bGpAd2FwbWUtc3lzdGVtcy5kZT6ItAQTAQIAHgUCP6mcYwIbAwYLCQgHAwIDFQID
AxYCAQIeAQIXgAAKCRABV0w1BqPYRuSqA/wPzsQxao2YePENCtgRTrO86U6zg3sl
OcS6CJFI4FZP5h/xD3GRsNH1+MPSvZlomDdpFnr547DGz/Kq9MXuQwVvlVig5yWZ
K5dtKp1r5YLhxJQBhfirZbRFFnYmf19f18J8OoS28tuFVftDl1AIwJS3HLyBTv6H
g2HyLAEKQIp30Q==
=aYCI
-----END PGP PUBLIC KEY BLOCK-----

Re: [SECURITY-PATCH] cygwin: Apache 1.3.29 and below directory traversal vulnerability

Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.

At 05:45 PM 2/4/2004, Roy T. Fielding wrote:
>-1.  Reject the request with a 400 error instead.

++1 to Roy's suggestion.

I believe that Win32 may accept the back slash (with the changes proposed
for the cygwin port.)  However ... here's the trick ... the cygwin httpd port
is emulating Unix, so it should behave as a unix port.

Bill

Re: [SECURITY-PATCH] cygwin: Apache 1.3.29 and below directory traversal vulnerability

Posted by Stipe Tolj <to...@wapme-systems.de>.

Stipe Tolj wrote:
> 
> Hi Roy,
> 
> "Roy T. Fielding" wrote
> >
> > -1.  Reject the request with a 400 error instead.
> 
> actually a standard (apache layout) install (from source) on a linux
> box with the URI described in the bug report gives also a 404, and
> *not* a 400 in response.
> 
> So we get the same behaviour on cygwin as on linux?! Why is the
> behaviour on cygwin then "more wrong"?

which does not mean that I'm veto'ing the -1 in terms of HTTP response
code semantics. That's ok for me and actually I would be +1 for
responding 400 to a "non-valid, abussing" URI. But just to mention
that the linux install did the same. So either we should have it
changed generically, but not specifically for cygwin IMO.

Stipe

mailto:tolj@wapme-systems.de
-------------------------------------------------------------------
Wapme Systems AG

Münsterstr. 248
40470 Düsseldorf, NRW, Germany

phone: +49.211.74845.0
fax: +49.211.74845.299

mailto:info@wapme-systems.de
http://www.wapme-systems.de/
-------------------------------------------------------------------

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.2 (Cygwin)

mIsEP6mcYwEEAMDnUiUwrbb+xwTFWN6TxF2+XZu7/alwJMeCwMBRvXtPZqfjpPhS
OkBpU0F4TrVuugz1HINTSaJTYq10AzDQXp5NkyWgckqW79nPAWuOX0dicbJk+cN2
nM2TI4KaxUDe6u8hghNEnH/i2lXsUu9apnP/iixzV81VC2je3uc9hZpnAAYptEVT
dGlwZSBUb2xqIChUZWNobm9sb2d5IENlbnRlciAmIFJlc2VhcmNoIExhYikgPHRv
bGpAd2FwbWUtc3lzdGVtcy5kZT6ItAQTAQIAHgUCP6mcYwIbAwYLCQgHAwIDFQID
AxYCAQIeAQIXgAAKCRABV0w1BqPYRuSqA/wPzsQxao2YePENCtgRTrO86U6zg3sl
OcS6CJFI4FZP5h/xD3GRsNH1+MPSvZlomDdpFnr547DGz/Kq9MXuQwVvlVig5yWZ
K5dtKp1r5YLhxJQBhfirZbRFFnYmf19f18J8OoS28tuFVftDl1AIwJS3HLyBTv6H
g2HyLAEKQIp30Q==
=aYCI
-----END PGP PUBLIC KEY BLOCK-----

Re: [SECURITY-PATCH] cygwin: Apache 1.3.29 and below directory traversal vulnerability

Posted by Stipe Tolj <to...@wapme-systems.de>.

Hi Roy,

"Roy T. Fielding" wrote
> 
> -1.  Reject the request with a 400 error instead.

actually a standard (apache layout) install (from source) on a linux
box with the URI described in the bug report gives also a 404, and
*not* a 400 in response.

So we get the same behaviour on cygwin as on linux?! Why is the
behaviour on cygwin then "more wrong"?

Stipe

mailto:tolj@wapme-systems.de
-------------------------------------------------------------------
Wapme Systems AG

Münsterstr. 248
40470 Düsseldorf, NRW, Germany

phone: +49.211.74845.0
fax: +49.211.74845.299

mailto:info@wapme-systems.de
http://www.wapme-systems.de/
-------------------------------------------------------------------

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.2 (Cygwin)

mIsEP6mcYwEEAMDnUiUwrbb+xwTFWN6TxF2+XZu7/alwJMeCwMBRvXtPZqfjpPhS
OkBpU0F4TrVuugz1HINTSaJTYq10AzDQXp5NkyWgckqW79nPAWuOX0dicbJk+cN2
nM2TI4KaxUDe6u8hghNEnH/i2lXsUu9apnP/iixzV81VC2je3uc9hZpnAAYptEVT
dGlwZSBUb2xqIChUZWNobm9sb2d5IENlbnRlciAmIFJlc2VhcmNoIExhYikgPHRv
bGpAd2FwbWUtc3lzdGVtcy5kZT6ItAQTAQIAHgUCP6mcYwIbAwYLCQgHAwIDFQID
AxYCAQIeAQIXgAAKCRABV0w1BqPYRuSqA/wPzsQxao2YePENCtgRTrO86U6zg3sl
OcS6CJFI4FZP5h/xD3GRsNH1+MPSvZlomDdpFnr547DGz/Kq9MXuQwVvlVig5yWZ
K5dtKp1r5YLhxJQBhfirZbRFFnYmf19f18J8OoS28tuFVftDl1AIwJS3HLyBTv6H
g2HyLAEKQIp30Q==
=aYCI
-----END PGP PUBLIC KEY BLOCK-----

Re: [SECURITY-PATCH] cygwin: Apache 1.3.29 and below directory traversal vulnerability

Posted by "Roy T. Fielding" <fi...@gbiv.com>.

-1.  Reject the request with a 400 error instead.

....Roy