You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by be...@hyperreal.org on 1998/06/23 21:53:33 UTC
cvs commit: apache-1.3/src/os/win32 util_win32.c
ben 98/06/23 12:53:33
Modified: src CHANGES
src/os/win32 util_win32.c
Log:
Temp fix for Win32 ... problem. Probably gonna be reversed soon.
Revision Changes Path
1.929 +5 -0 apache-1.3/src/CHANGES
Index: CHANGES
===================================================================
RCS file: /export/home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.928
retrieving revision 1.929
diff -u -r1.928 -r1.929
--- CHANGES 1998/06/20 11:20:36 1.928
+++ CHANGES 1998/06/23 19:53:29 1.929
@@ -1,5 +1,10 @@
Changes with Apache 1.3.1
+ *) Win32 (security): Eliminate directories consisting of three or more dots;
+ these are treated by Win32 as if they are ".." but are not detected by
+ other machinery within Apache. This is something of a kludge but eliminates
+ a security hole. [Ben Laurie]
+
*) Move ap_escape_quotes() from src/ap to src/main/util.c; it uses
pools and thus pollutes libap (until the pool stuff is moved there).
[Ken Coar]
1.17 +15 -1 apache-1.3/src/os/win32/util_win32.c
Index: util_win32.c
===================================================================
RCS file: /export/home/cvs/apache-1.3/src/os/win32/util_win32.c,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- util_win32.c 1998/05/09 15:00:50 1.16
+++ util_win32.c 1998/06/23 19:53:31 1.17
@@ -86,13 +86,27 @@
{
char buf[HUGE_STRING_LEN];
char b2[HUGE_STRING_LEN];
- char *s;
+ char *s,*d;
ap_assert(strlen(szFile) < sizeof b2);
strcpy(b2,szFile);
for(s=b2 ; *s ; ++s)
if(*s == '/')
*s='\\';
+
+ /* Eliminate directories consisting of three or more dots.
+ These act like ".." but are not detected by other machinery.
+ This is a bit of a kludge - Ben.
+ */
+ for(d=s=b2 ; (*d=*s) ; ++d,++s)
+ if(!strncmp(s,"\\...",3))
+ {
+ int n=strspn(s+1,".");
+ if(s[n+1] != '\\')
+ continue;
+ s+=n;
+ --d;
+ }
sub_canonical_filename(buf, sizeof buf, b2);
buf[0]=tolower(buf[0]);