You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by fa...@locus.apache.org on 2000/06/15 02:56:38 UTC

cvs commit: apache-2.0/src/modules/standard mod_vhost_alias.c

fanf        00/06/14 17:56:38

  Modified:    src      CHANGES
               src/modules/standard mod_vhost_alias.c
  Log:
  Prevent the source code for CGIs from being revealed when using
  mod_vhost_alias and the CGI directory is under the document root
  and a user makes a request like http://www.example.com//cgi-bin/cgi
  as reported in <ne...@ernani.logica.co.uk>
  
  Revision  Changes    Path
  1.152     +6 -0      apache-2.0/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/apache-2.0/src/CHANGES,v
  retrieving revision 1.151
  retrieving revision 1.152
  diff -u -r1.151 -r1.152
  --- CHANGES	2000/06/14 00:19:29	1.151
  +++ CHANGES	2000/06/15 00:56:37	1.152
  @@ -1,5 +1,11 @@
   Changes with Apache 2.0a5
   
  +  *) Prevent the source code for CGIs from being revealed when using
  +     mod_vhost_alias and the CGI directory is under the document root
  +     and a user makes a request like http://www.example.com//cgi-bin/cgi
  +     as reported in <ne...@ernani.logica.co.uk>
  +     [Tony Finch]
  +
     *) Add support for the new Beos NetwOrking Environment (BONE)
        [David Reid]
   
  
  
  
  1.11      +7 -9      apache-2.0/src/modules/standard/mod_vhost_alias.c
  
  Index: mod_vhost_alias.c
  ===================================================================
  RCS file: /home/cvs/apache-2.0/src/modules/standard/mod_vhost_alias.c,v
  retrieving revision 1.10
  retrieving revision 1.11
  diff -u -r1.10 -r1.11
  --- mod_vhost_alias.c	2000/06/12 21:47:05	1.10
  +++ mod_vhost_alias.c	2000/06/15 00:56:37	1.11
  @@ -415,25 +415,23 @@
       mva_sconf_t *conf;
       const char *name, *map, *uri;
       mva_mode_e mode;
  -    int cgi;
  +    const char *cgi;
     
       conf = (mva_sconf_t *) ap_get_module_config(r->server->module_config,
   					      &vhost_alias_module);
  -    if (!strncmp(r->uri, "/cgi-bin/", 9)) {
  +    cgi = strstr(r->uri, "cgi-bin/");
  +    if (cgi && cgi - r->uri != strspn(r->uri, "/")) {
  +        cgi = NULL;
  +    }
  +    if (cgi) {
   	mode = conf->cgi_root_mode;
   	map = conf->cgi_root;
  -	uri = r->uri + 8;
  -	/*
  -	 * can't force cgi immediately because we might not handle this
  -	 * call if the mode is wrong
  -	 */
  -	cgi = 1;
  +	uri = cgi + strlen("cgi-bin");
       }
       else if (r->uri[0] == '/') {
   	mode = conf->doc_root_mode;
   	map = conf->doc_root;
   	uri = r->uri;
  -	cgi = 0;
       }
       else {
   	return DECLINED;