You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2005/09/23 15:58:56 UTC

DO NOT REPLY [Bug 36783] New: - request.c not correctly checking link owner uid for SymlinksIfOwnerMatch

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=36783>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=36783

           Summary: request.c not correctly checking link owner uid for
                    SymlinksIfOwnerMatch
           Product: Apache httpd-2.0
           Version: 2.1-HEAD
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: rob-apache.org.bugs@tigertech.net


The following code, around line 375 of server/request.c, contains an error  
that may lead to failures in SymlinksIfOwnerMatch on some platforms: 
    
  /* OPT_SYM_OWNER only works if we can get the owner of     
   * both the file and symlink.  First fill in a missing     
   * owner of the symlink, then get the info of the target.     
   */     
  if (!(lfi->valid & APR_FINFO_OWNER)) {     
      if ((res = apr_stat(&fi, d,      
                          lfi->valid | APR_FINFO_LINK | APR_FINFO_OWNER, p))     
          != APR_SUCCESS) {     
          return HTTP_FORBIDDEN;     
      }     
  }     
     
  if ((res = apr_stat(&fi, d, lfi->valid & ~(APR_FINFO_NAME), p))     
      != APR_SUCCESS) {     
      return HTTP_FORBIDDEN;     
  }     
     
  if (apr_uid_compare(fi.user, lfi->user) != APR_SUCCESS) {     
      return HTTP_FORBIDDEN;     
  }     
    
The apr_stat calls are supposed to set lfi->user and fi.user so they can be   
compared. However, they're both operating on &fi, meaning that lfi->user   
doesn't get set. 
     
On platforms where FINFO_OWNER isn't already valid when we reach this code 
(including Win32, according to William A. Rowe, Jr.), lfi->user could be 
random junk when compared, likely leading to a incorrect HTTP_FORBIDDEN result 
(and perhaps the small possibility of an incorrect OK result).  
    
The first apr_stat() call should set lfi instead of &fi:  
    
  if (!(lfi->valid & APR_FINFO_OWNER)) {     
      if ((res = apr_stat(lfi, d,

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org