Tighten up the syntax checking of Host: headers to fix a

security bug in some mass virtual hosting configurations
that can allow a remote attacker to retrieve some files
on the system that should be inaccessible. The problem
occured with requests including the line "Host: ..." --
the last dot is stripped and the remaining ".." then
reveals a parent directory.

Reported by: Peter Christoffersen <pch@mindpass.com>
Message-ID: <8quts6$2el$1@news.inet.tele.dk>
Newsgroups: comp.infosystems.www.servers.unix

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86637 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/server/vhost.c b/server/vhost.c
index 95c3bb9ef96dc7a746af9551a1ad3d5e25755e18..4954c2aaf4dff2247183dde6d480450b12e7c086 100644 (file)
--- a/server/vhost.c
+++ b/server/vhost.c
@@ -714,7 +714,14 @@ static void fix_hostname(request_rec *r)
     src = r->hostname;
     dst = host;
     while (*src) {
-       if (!apr_isalnum(*src) && *src != '.' && *src != '-') {
+       if (!apr_isalnum(*src) && *src != '-') {
+           if (*src == '.') {
+               *dst++ = *src++;
+               if (*src == '.')
+                   goto bad;
+               else
+                   continue;
+           }
            if (*src == ':')
                break;
            else