You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2001/10/17 02:03:22 UTC
cvs commit: httpd-2.0/modules/ssl ssl_engine_pphrase.c
wrowe 01/10/16 17:03:22
Modified: modules/ssl ssl_engine_pphrase.c
Log:
It is absolutely invalid practice to test 'prot' bits to determine if a
file is readable. The only acceptable means of testing readability is to
open it for reading, due to discrepancies between permissions, DACLs and
SACLS. Even Linux hackers are gonna need to learn that lesson if they
plan to do any DOD or Gov work once DACL-enhanced Linux is adopted.
Revision Changes Path
1.11 +12 -4 httpd-2.0/modules/ssl/ssl_engine_pphrase.c
Index: ssl_engine_pphrase.c
===================================================================
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_pphrase.c,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- ssl_engine_pphrase.c 2001/08/23 22:37:00 1.10
+++ ssl_engine_pphrase.c 2001/10/17 00:03:22 1.11
@@ -69,13 +69,21 @@
static apr_status_t exists_and_readable(char *fname, apr_pool_t *pool)
{
+ apr_status_t stat;
apr_finfo_t sbuf;
+ apr_file_t *fd;
- if ( apr_stat(&sbuf, fname, APR_FINFO_NORM, pool) != APR_SUCCESS )
- return APR_ENOSTAT;
+ if ((stat = apr_stat(&sbuf, fname, APR_FINFO_MIN, pool)) != APR_SUCCESS)
+ return stat;
- return ( ((sbuf.filetype == APR_REG) && (sbuf.protection & APR_UREAD)) ?
- APR_SUCCESS : APR_EGENERAL);
+ if (sbuf.filetype != APR_REG)
+ return APR_EGENERAL;
+
+ if ((stat = apr_file_open(&fd, fname, APR_READ, 0, pool)) != APR_SUCCESS)
+ return stat;
+
+ apr_file_close(fd);
+ return APR_SUCCESS;
}
/* _________________________________________________________________