You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Randy Terbush <ra...@zyzzyva.com> on 1997/01/11 21:47:25 UTC
Re: problem with log url overflow found
Cool. So is the fix just to change the comparison below to:
if (rv == 0)
> Check out http_request.c, line 160:
>
> rv = stat(path, &r->finfo);
>
> On some systems, when you get too many '/'s, the stat will return -1.
> That is why some people can't see it. I would be other web servers
> (and lots of other programs) have the same problem.
>
> I added some debugging output and got the below on a FreeBSD 2.1.5
> system. Note the line that says "stat of /usr/local... returned
> -1". A log from a trial with less '/'s is shown below this log.
>
> [Sat Jan 11 13:30:27 1997] entering directory_walk, st_mode = 0
> [Sat Jan 11 13:30:27 1997] entering get_path_info, st_mode = 0
> [Sat Jan 11 13:30:27 1997] stat of /usr/local/etc/httpd/htdocs returned 0
> [Sat Jan 11 13:30:27 1997] exiting get_path_info early1, st_mode = 16893
> [Sat Jan 11 13:30:27 1997] returning normally from directory_walk, st_mode = 16893
> [Sat Jan 11 13:30:28 1997] entering directory_walk, st_mode = 0
> [Sat Jan 11 13:30:28 1997] entering get_path_info, st_mode = 0
> [Sat Jan 11 13:30:28 1997] stat of /usr/local/etc/httpd/htdocs/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
> ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
> ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
> ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
> ///////////////////////////////////////////index.html returned -1
> [Sat Jan 11 13:30:28 1997] stat of /usr/local/etc/httpd/htdocs returned 0
> [Sat Jan 11 13:30:28 1997] setting st_mode to 0 in get_path_info
> [Sat Jan 11 13:30:28 1997] exiting get_path_info early1, st_mode = 0
> [Sat Jan 11 13:30:28 1997] returning normally from directory_walk, st_mode = 0
> [Sat Jan 11 13:30:28 1997] checking file index.html, uri: /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
> ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
> ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
> ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
> ///////////////////////////////////////index.html
> status: 200 st_mode: 0
>
>
> Trying "http://alive/////////////////////////" gives what is expected:
>
> [Sat Jan 11 13:32:31 1997] entering directory_walk, st_mode = 0
> [Sat Jan 11 13:32:31 1997] entering get_path_info, st_mode = 0
> [Sat Jan 11 13:32:31 1997] stat of /usr/local/etc/httpd/htdocs returned 0
> [Sat Jan 11 13:32:31 1997] exiting get_path_info early1, st_mode = 16893
> [Sat Jan 11 13:32:31 1997] returning normally from directory_walk, st_mode = 16893
> [Sat Jan 11 13:32:31 1997] entering directory_walk, st_mode = 0
> [Sat Jan 11 13:32:31 1997] entering get_path_info, st_mode = 0
> [Sat Jan 11 13:32:31 1997] stat of /usr/local/etc/httpd/htdocs/////////////////////////index.html returned 0
> [Sat Jan 11 13:32:31 1997] exiting get_path_info early1, st_mode = 33188
> [Sat Jan 11 13:32:31 1997] returning normally from directory_walk, st_mode = 33188
> [Sat Jan 11 13:32:31 1997] checking file index.html, uri: /////////////////////////index.html
> status: 200 st_mode: 33188
> [Sat Jan 11 13:32:31 1997] internal redirect from /////////////////////////index.html to /////////////////////////index.html
>
> [Sat Jan 11 13:32:31 1997] entering directory_walk, st_mode = 0
> [Sat Jan 11 13:32:31 1997] entering get_path_info, st_mode = 0
> [Sat Jan 11 13:32:31 1997] stat of /usr/local/etc/httpd/htdocs/////////////////////////index.html returned 0
> [Sat Jan 11 13:32:31 1997] exiting get_path_info early1, st_mode = 33188
> [Sat Jan 11 13:32:31 1997] returning normally from directory_walk, st_mode = 33188
>
Re: problem with log url overflow found
Posted by Marc Slemko <ma...@znep.com>.
No. The trick is that right now we are saying that a failure to stat
the path (while looking for the index file) means the file doesn't
exist, so there is no index file, so make a directory listing.
However, there are other reasons that stat can fail.
How portable would a check something like
if (errno == ENAMETOOLONG) { refuse the request or something }
be?
Or should we only generate an index if (errno == ENOENT)?
I think checking the errno would be easier than checking the length of
the path before calling stat, since various systems may have various
limits and I'm not sure they all use the same define to say what the
max is.
Damn, I think some systems may silently truncate the path before
checking. Grr. Reasonably easy to fix (aside from the fact that
there isn't a nice pretty defined way to return what we want to the
caller), but portability is hell.
The good thing is that it looks like _ALL_ this bug can do is get you
a directory index of the directory you request, and nothing more
devious.
On Sat, 11 Jan 1997, Randy Terbush wrote:
>
> Cool. So is the fix just to change the comparison below to:
>
> if (rv == 0)
Umm.. what is the difference between rv == 0 and !rv?
>
>
> > Check out http_request.c, line 160:
> >
> > rv = stat(path, &r->finfo);
> >
> > On some systems, when you get too many '/'s, the stat will return -1.
> > That is why some people can't see it. I would be other web servers
> > (and lots of other programs) have the same problem.