cvs commit: apache/src mod_dir.c

[Alexei Kosut <ak...@hyperreal.com>]

akosut      96/11/28 09:26:30

  Modified:    src       mod_dir.c
  Log:
  Fix directory indexing so that if an index file encounters an error
  that is not 404, it returns that error instead of a directory index.
  This was causing unsafe behavior.
  
  Reviewed by: Brian Behlendorf, Aram Mirzadeh, Paul Sutton
  
  Revision  Changes    Path
  1.16      +16 -0     apache/src/mod_dir.c
  
  Index: mod_dir.c
  ===================================================================
  RCS file: /export/home/cvs/apache/src/mod_dir.c,v
  retrieving revision 1.15
  retrieving revision 1.16
  diff -C3 -r1.15 -r1.16
  *** mod_dir.c	1996/11/03 20:48:33	1.15
  --- mod_dir.c	1996/11/28 17:26:29	1.16
  ***************
  *** 768,773 ****
  --- 768,774 ----
          (dir_config_rec *)get_module_config (r->per_dir_config, &dir_module);
        const char *names_ptr = d->index_names ? d->index_names : DEFAULT_INDEX;
        int allow_opts = allow_options (r);
  +     int error_notfound = 0;
    
        if (r->uri[0] == '\0' || r->uri[strlen(r->uri)-1] != '/') {
    	char* ifile;
  ***************
  *** 808,815 ****
  --- 809,831 ----
    	    return OK;
    	}
    
  + 	/* If the request returned something other than 404 (or 200),
  + 	 * it means the module encountered some sort of problem. To be
  + 	 * secure, we should return the error, rather than create
  + 	 * along a (possibly unsafe) directory index.
  + 	 *
  + 	 * So we store the error, and if none of the listed files
  + 	 * exist, we return the last error response we got, instead
  + 	 * of a directory listing.
  + 	 */
  + 	if (rr->status && rr->status != 404 && rr->status != 200)
  + 	    error_notfound = rr->status;
  + 
            destroy_sub_req (rr);
        }
  + 
  +     if (error_notfound)
  + 	return error_notfound;
    
        if (r->method_number != M_GET) return NOT_IMPLEMENTED;