You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by be...@hyperreal.org on 1998/06/23 21:53:33 UTC

cvs commit: apache-1.3/src/os/win32 util_win32.c

ben         98/06/23 12:53:33

  Modified:    src      CHANGES
               src/os/win32 util_win32.c
  Log:
  Temp fix for Win32 ... problem. Probably gonna be reversed soon.
  
  Revision  Changes    Path
  1.929     +5 -0      apache-1.3/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /export/home/cvs/apache-1.3/src/CHANGES,v
  retrieving revision 1.928
  retrieving revision 1.929
  diff -u -r1.928 -r1.929
  --- CHANGES	1998/06/20 11:20:36	1.928
  +++ CHANGES	1998/06/23 19:53:29	1.929
  @@ -1,5 +1,10 @@
   Changes with Apache 1.3.1
   
  +  *) Win32 (security): Eliminate directories consisting of three or more dots;
  +     these are treated by Win32 as if they are ".." but are not detected by
  +	 other machinery within Apache. This is something of a kludge but eliminates
  +	 a security hole. [Ben Laurie]
  +
     *) Move ap_escape_quotes() from src/ap to src/main/util.c; it uses
        pools and thus pollutes libap (until the pool stuff is moved there).
        [Ken Coar]
  
  
  
  1.17      +15 -1     apache-1.3/src/os/win32/util_win32.c
  
  Index: util_win32.c
  ===================================================================
  RCS file: /export/home/cvs/apache-1.3/src/os/win32/util_win32.c,v
  retrieving revision 1.16
  retrieving revision 1.17
  diff -u -r1.16 -r1.17
  --- util_win32.c	1998/05/09 15:00:50	1.16
  +++ util_win32.c	1998/06/23 19:53:31	1.17
  @@ -86,13 +86,27 @@
   {
       char buf[HUGE_STRING_LEN];
       char b2[HUGE_STRING_LEN];
  -    char *s;
  +    char *s,*d;
   
       ap_assert(strlen(szFile) < sizeof b2);
       strcpy(b2,szFile);
       for(s=b2 ; *s ; ++s)
   	if(*s == '/')
   	    *s='\\';
  +
  +    /* Eliminate directories consisting of three or more dots.
  +       These act like ".." but are not detected by other machinery.
  +       This is a bit of a kludge - Ben.
  +    */
  +    for(d=s=b2 ; (*d=*s) ; ++d,++s)
  +	if(!strncmp(s,"\\...",3))
  +	    {
  +	    int n=strspn(s+1,".");
  +	    if(s[n+1] != '\\')
  +		continue;
  +	    s+=n;
  +	    --d;
  +	    }
   
       sub_canonical_filename(buf, sizeof buf, b2);
       buf[0]=tolower(buf[0]);