You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Jeff Barry <je...@world.std.com> on 1999/09/06 04:51:00 UTC
mod_rewrite/4963: Multiple time variables can expand incorrectly in a URL rewrite.
>Number: 4963
>Category: mod_rewrite
>Synopsis: Multiple time variables can expand incorrectly in a URL rewrite.
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: apache
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Sun Sep 5 20:00:01 PDT 1999
>Last-Modified:
>Originator: jeff@world.std.com
>Organization:
apache
>Release: from 1.2 to latest
>Environment:
Any environment where URL rewrites are going on and those rewrites
involve the expansion of time variables.
>Description:
Hi,
While analyzing the Apache 1.2.6 source code for Y2K bugs I found
a bug which CAN (but won't necessarily) occur at the end of any
minute including, therefore, critical Y2K rollovers. My estimation
is that the probability of the bug having an effect is very low,
but it is still greater than zero. It only affects URL rewrites
which include time variables, but over the fullness of time....
This bug can appear to make time run backwards and create impossible
dates, eg Saturday, 5-Sep-99. What the effect on the application
attempting to use the rewritten URL would be is, of course,
application dependent.
Here is a FRAGMENT of the offending code to give you an idea of
what it does. I had to reformat it since my eMail decided to
concatenate it all....
=======================================================================
#define MKTIMESTR(format, tmfield) \
tc = time(NULL); \
tm = localtime(&tc); \
ap_snprintf(resultbuf, sizeof(resultbuf), format, tm->tmfield); \
result = resultbuf;
else if (strcasecmp(var, "TIME_MON") == 0)
{ MKTIMESTR("%02d", tm_mon+1) }
else if (strcasecmp(var, "TIME_DAY") == 0)
{ MKTIMESTR("%02d", tm_mday) }
else if (strcasecmp(var, "TIME_HOUR") == 0)
{ MKTIMESTR("%02d", tm_hour) }
else if (strcasecmp(var, "TIME_MIN") == 0)
{ MKTIMESTR("%02d", tm_min) }
else if (strcasecmp(var, "TIME_SEC") == 0)
{ MKTIMESTR("%02d", tm_sec) }
else if (strcasecmp(var, "TIME_WDAY") == 0)
{ MKTIMESTR("%d", tm_wday) }
. . .
=======================================================================
The function containing the above code fragment, lookup_variable() in
mod_rewrite.c, is called once for every variable expansion within a URL
rewrite. If N > 1 time variables are expanded within one URL rewrite
then the time() and localtime() within the MKTIMESTR macro will be
executed N times. Aside from inefficiency it means that one of those
time() calls could potentially be in a minute, hour, day, month, year,
century or millennium later than the preceding time() call, and the
result will therefore be mixed date and/or time components within that
one URL rewrite. The bug can be provoked at the end of any minute,
depending on the specifics of the URL rewrite and bad luck.
This function is local to the module, so the bug can only occur
during URL rewrites. I checked and this bug also exists in the latest
Apache sources (1.3.9). I would not expect URL rewrites in intervening
or earlier versions to be correct.
Jeff Barry
jeff@world.std.com
>How-To-Repeat:
By creating a URL rewrite which expands and depends upon multiple
time variables, including seconds and minutes, and then exercising
that rewrite at the end of every minute. It is more likely to occur
if the system is heavily loaded and/or the rewrite is doing something
which interrupts the server process between expansion of time variables.
Best to just look at the code.
>Fix:
Capture the time ONCE at the start of each URL rewrite and use that
time for that entire rewrite.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <ap...@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or ]
["Re: general/1098:"). If the subject doesn't match this ]
[pattern, your message will be misfiled and ignored. The ]
["apbugs" address is not added to the Cc line of messages from ]
[the database automatically because of the potential for mail ]
[loops. If you do not include this Cc, your reply may be ig- ]
[nored unless you are responding to an explicit request from a ]
[developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]