From: William A. Rowe Jr Date: Thu, 23 Aug 2001 22:17:19 +0000 (+0000) Subject: Increase security in core.c by testing (as we merge the path) that the X-Git-Tag: 2.0.25~112 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=304f5cb2c82cd5636a69abd3c221d267980d9ea3;p=apache Increase security in core.c by testing (as we merge the path) that the URI does not go above the DocumentRoot (as defined by the OS, not by the URI specification), and give us the true name. When we are done, note the name is canonical for directory_walk. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@90593 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/server/core.c b/server/core.c index 50b464f1ef..9f18233082 100644 --- a/server/core.c +++ b/server/core.c @@ -2911,8 +2911,14 @@ AP_DECLARE_NONSTD(int) ap_core_translate(request_rec *r) && (r->server->path[r->server->pathlen - 1] == '/' || r->uri[r->server->pathlen] == '/' || r->uri[r->server->pathlen] == '\0')) { - r->filename = apr_pstrcat(r->pool, conf->ap_document_root, - (r->uri + r->server->pathlen), NULL); + if (apr_filepath_merge(r->filename, conf->ap_document_root, + r->uri + r->server->pathlen, + APR_FILEPATH_TRUENAME + | APR_SECUREROOT_TEST, r->pool) + != APR_SUCCESS) { + return HTTP_FORBIDDEN; + } + r->canonical_filename == r->filename; } else { /* @@ -2920,15 +2926,14 @@ AP_DECLARE_NONSTD(int) ap_core_translate(request_rec *r) * /'s in a row. This happens under windows when the document * root ends with a / */ - if ((conf->ap_document_root[strlen(conf->ap_document_root)-1] == '/') - && (*(r->uri) == '/')) { - r->filename = apr_pstrcat(r->pool, conf->ap_document_root, r->uri+1, - NULL); - } - else { - r->filename = apr_pstrcat(r->pool, conf->ap_document_root, r->uri, - NULL); - } + if (apr_filepath_merge(r->filename, conf->ap_document_root, + r->uri + (*(r->uri) == '/') ? 1 : 0, + APR_FILEPATH_TRUENAME + | APR_SECUREROOT_TEST, r->pool) + != APR_SUCCESS) { + return HTTP_FORBIDDEN; + } + r->canonical_filename == r->filename; } return OK;