You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2005/09/23 15:58:56 UTC
DO NOT REPLY [Bug 36783] New: -
request.c not correctly checking link owner uid for SymlinksIfOwnerMatch
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=36783>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=36783
Summary: request.c not correctly checking link owner uid for
SymlinksIfOwnerMatch
Product: Apache httpd-2.0
Version: 2.1-HEAD
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Core
AssignedTo: bugs@httpd.apache.org
ReportedBy: rob-apache.org.bugs@tigertech.net
The following code, around line 375 of server/request.c, contains an error
that may lead to failures in SymlinksIfOwnerMatch on some platforms:
/* OPT_SYM_OWNER only works if we can get the owner of
* both the file and symlink. First fill in a missing
* owner of the symlink, then get the info of the target.
*/
if (!(lfi->valid & APR_FINFO_OWNER)) {
if ((res = apr_stat(&fi, d,
lfi->valid | APR_FINFO_LINK | APR_FINFO_OWNER, p))
!= APR_SUCCESS) {
return HTTP_FORBIDDEN;
}
}
if ((res = apr_stat(&fi, d, lfi->valid & ~(APR_FINFO_NAME), p))
!= APR_SUCCESS) {
return HTTP_FORBIDDEN;
}
if (apr_uid_compare(fi.user, lfi->user) != APR_SUCCESS) {
return HTTP_FORBIDDEN;
}
The apr_stat calls are supposed to set lfi->user and fi.user so they can be
compared. However, they're both operating on &fi, meaning that lfi->user
doesn't get set.
On platforms where FINFO_OWNER isn't already valid when we reach this code
(including Win32, according to William A. Rowe, Jr.), lfi->user could be
random junk when compared, likely leading to a incorrect HTTP_FORBIDDEN result
(and perhaps the small possibility of an incorrect OK result).
The first apr_stat() call should set lfi instead of &fi:
if (!(lfi->valid & APR_FINFO_OWNER)) {
if ((res = apr_stat(lfi, d,
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org