You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Marc Slemko <ma...@znep.com> on 1997/12/30 21:32:50 UTC

Re: Apache DoS attack? (fwd)

My posts are showing up on bugtraq within 10 minutes and making it back to
me within 30... since people are mailing me asking for the patch since
they haven't seen it, I reposted just the 1.2 one.

Sigh.

---------- Forwarded message ----------
Date: Tue, 30 Dec 1997 13:30:56 -0700 (MST)
From: Marc Slemko <ma...@znep.com>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Apache DoS attack?

On Tue, 30 Dec 1997, Marc Slemko wrote:

[...]

> Please see the patch Dean Gaudet has posted to bugtraq for the solution.

Since people are telling me that Dean's post has not made it yet and
asking for the patch, and I don't see it here yet, I am reposting his
patch for 1.2.  A similar thing applies to 1.3. 

This patch has been applied to the Apache CVS tree and will be available
in a new release at some point in the reasonably near future. 

Index: src/util.c
===================================================================
RCS file: /export/home/cvs/apache/src/util.c,v
retrieving revision 1.52.2.2
diff -u -r1.52.2.2 util.c
--- util.c	1997/06/27 01:47:47	1.52.2.2
+++ util.c	1997/12/30 18:09:15
@@ -328,14 +328,22 @@
     }
 } 

-void no2slash(char *name) {
-    register int x,y;
+void no2slash(char *name)
+{
+    char *d, *s;

-    for(x=0; name[x];)
-        if(x && (name[x-1] == '/') && (name[x] == '/'))
-            for(y=x+1;name[y-1];y++)
-                name[y-1] = name[y];
-	else x++;
+    s = d = name;
+    while (*s) {
+        if ((*d++ = *s) == '/') {
+            do {
+                ++s;
+            } while (*s == '/');
+        }
+        else {
+            ++s;
+        }
+    }
+    *d = '\0';
 }

 char *make_dirstr(pool *p, const char *s, int n) {

Re: Apache DoS attack? (fwd)

Posted by Ben Laurie <be...@algroup.co.uk>.

Marc Slemko wrote:
> 
> On Tue, 30 Dec 1997, Marc Slemko wrote:
> 
> > My posts are showing up on bugtraq within 10 minutes and making it back to
> > me within 30... since people are mailing me asking for the patch since
> > they haven't seen it, I reposted just the 1.2 one.
> 
> And now my message with the patch has arrived back here from bugtraq
> 13 minutes after being sent, with no sign of Dean's original yet...

I've now got everything so far mentioned from bugtraq, except Dean's
post. Curious.

Cheers,

Ben.

-- 
Ben Laurie            |Phone: +44 (181) 735 0686|Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org
and Technical Director|Email: ben@algroup.co.uk |Apache-SSL author
A.L. Digital Ltd,     |http://www.algroup.co.uk/Apache-SSL
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache

Re: Apache DoS attack? (fwd)

Posted by Marc Slemko <ma...@worldgate.com>.

On Tue, 30 Dec 1997, Marc Slemko wrote:

> My posts are showing up on bugtraq within 10 minutes and making it back to
> me within 30... since people are mailing me asking for the patch since
> they haven't seen it, I reposted just the 1.2 one.

And now my message with the patch has arrived back here from bugtraq
13 minutes after being sent, with no sign of Dean's original yet...

> 
> Sigh.

Double sigh.