You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Randy Terbush <ra...@zyzzyva.com> on 1997/01/13 23:50:21 UTC
Re: Alt patch II
This seems to work and fixes the exploit. The one problem I see is
that a request for http://www.somewhere.com/index.html////////
will return a 403, instead of a 404. Which should it be?
> Index: http_request.c
> ===================================================================
> RCS file: /export/home/cvs/apache/src/http_request.c,v
> retrieving revision 1.11
> diff -c -r1.11 http_request.c
> *** http_request.c 1996/07/01 18:10:29 1.11
> --- http_request.c 1997/01/13 21:59:32
> ***************
> *** 135,140 ****
> --- 135,158 ----
>
> #endif
> }
> +
> + char *collapse_path(pool *pool, char *path)
> + {
> + char *p,*d;
> + char *np;
> +
> + for(p=path ; p[1] && (p[0] != '/' || p[1] !='/') ; ++p)
> + ;
> + if(!p[1])
> + return path;
> +
> + np=palloc(pool,strlen(path));
> + for(d=np,p=path ; *d=*p ; ++p,++d)
> + while(p[0] == '/' && p[1] == '/')
> + ++p;
> +
> + return np;
> + }
>
> /* Dealing with the file system to get PATH_INFO
> */
> ***************
> *** 143,153 ****
> {
> char *cp;
> char *path = r->filename;
> ! char *end = &path[strlen(path)];
> char *last_cp = NULL;
> int rv;
> /* Advance over trailing slashes ... NOT part of filename */
>
> for (cp = end; cp > path && cp[-1] == '/'; --cp)
> continue;
> --- 161,175 ----
> {
> char *cp;
> char *path = r->filename;
> ! char *end;
> char *last_cp = NULL;
> int rv;
>
> /* Advance over trailing slashes ... NOT part of filename */
> +
> + path=collapse_path(r->pool,path);
> +
> + end=&path[strlen(path)];
>
> for (cp = end; cp > path && cp[-1] == '/'; --cp)
> continue;
>
>
> --
> Ben Laurie Phone: +44 (181) 994 6435 Email: ben@algroup.co.uk
> Freelance Consultant and Fax: +44 (181) 994 6472
> Technical Director URL: http://www.algroup.co.uk/Apache-SSL
> A.L. Digital Ltd, Apache Group member (http://www.apache.org)
> London, England. Apache-SSL author