You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by fa...@locus.apache.org on 2000/06/15 02:56:38 UTC
cvs commit: apache-2.0/src/modules/standard mod_vhost_alias.c
fanf 00/06/14 17:56:38
Modified: src CHANGES
src/modules/standard mod_vhost_alias.c
Log:
Prevent the source code for CGIs from being revealed when using
mod_vhost_alias and the CGI directory is under the document root
and a user makes a request like http://www.example.com//cgi-bin/cgi
as reported in <ne...@ernani.logica.co.uk>
Revision Changes Path
1.152 +6 -0 apache-2.0/src/CHANGES
Index: CHANGES
===================================================================
RCS file: /home/cvs/apache-2.0/src/CHANGES,v
retrieving revision 1.151
retrieving revision 1.152
diff -u -r1.151 -r1.152
--- CHANGES 2000/06/14 00:19:29 1.151
+++ CHANGES 2000/06/15 00:56:37 1.152
@@ -1,5 +1,11 @@
Changes with Apache 2.0a5
+ *) Prevent the source code for CGIs from being revealed when using
+ mod_vhost_alias and the CGI directory is under the document root
+ and a user makes a request like http://www.example.com//cgi-bin/cgi
+ as reported in <ne...@ernani.logica.co.uk>
+ [Tony Finch]
+
*) Add support for the new Beos NetwOrking Environment (BONE)
[David Reid]
1.11 +7 -9 apache-2.0/src/modules/standard/mod_vhost_alias.c
Index: mod_vhost_alias.c
===================================================================
RCS file: /home/cvs/apache-2.0/src/modules/standard/mod_vhost_alias.c,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- mod_vhost_alias.c 2000/06/12 21:47:05 1.10
+++ mod_vhost_alias.c 2000/06/15 00:56:37 1.11
@@ -415,25 +415,23 @@
mva_sconf_t *conf;
const char *name, *map, *uri;
mva_mode_e mode;
- int cgi;
+ const char *cgi;
conf = (mva_sconf_t *) ap_get_module_config(r->server->module_config,
&vhost_alias_module);
- if (!strncmp(r->uri, "/cgi-bin/", 9)) {
+ cgi = strstr(r->uri, "cgi-bin/");
+ if (cgi && cgi - r->uri != strspn(r->uri, "/")) {
+ cgi = NULL;
+ }
+ if (cgi) {
mode = conf->cgi_root_mode;
map = conf->cgi_root;
- uri = r->uri + 8;
- /*
- * can't force cgi immediately because we might not handle this
- * call if the mode is wrong
- */
- cgi = 1;
+ uri = cgi + strlen("cgi-bin");
}
else if (r->uri[0] == '/') {
mode = conf->doc_root_mode;
map = conf->doc_root;
uri = r->uri;
- cgi = 0;
}
else {
return DECLINED;