You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2005/09/01 00:36:31 UTC

DO NOT REPLY [Bug 36452] New: - SSI can read arbitary data in memory (strange variables content)

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=36452>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=36452

           Summary: SSI can read arbitary data in memory (strange variables
                    content)
           Product: Apache httpd-2.0
           Version: 2.0.54
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: critical
          Priority: P2
         Component: mod_include
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: gw@tnode.com


The problem occures in the following situation (I didn't manage to define the
problem exactly, because sometimes it doesn't happen):
If a requested SSI parsed file includes another file that uses <!--#printenv -->
and later includeas another file that also uses <!--#printenv --> (can be the
same one) or includes any arbitary CGI script, then a <!--#printenv --> command
after all this would display most of the variables correct, but some contain now
strange random data (from junk bytes, whole parts of files and to the chunked
output that the server already outputed in the same request). To put it short: a
memory problem (something in deallocated when it is still in use).

So the contents of files that behave strange is:
--- Start File 'apache2ssibug.html' ---
<html><head>
<title>Apache 2 - SSI bug</title>
</head><body>

<p>So, lets include a file that will do printenv:</p>
<!--#include virtual="apache2ssibug_printenv.html"-->

<p>Lets include it again (or any other file that does printenv and the same
happens also if you include any CGI script):</p>
<!--#include virtual="apache2ssibug_printenv.html"-->
<!--ALSO BUG WITH #include virtual="/cgi/apache2ssibug.pl"-->

<hr />
<p><b>And now we have:</b></p>
<pre><!--#printenv --></pre>

</body></html>
--- End File 'apache2ssibug.html' ---

--- Start File 'apache2ssibug_printenv.html' ---
<pre><!--#printenv --></pre>
--- End File 'apache2ssibug_printenv.html' ---

--- Start File 'apache2ssibug.pl' ---
#!/usr/bin/perl
use strict;
print "Content-Type: text/html\n\n<p>Actually nothing here!</p>\n";
--- End File 'apache2ssibug.pl' ---

I haven't tryed to find a patch. Till now the server didn't crash under any of
my such requests.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org