From 251bf4d1d388b8deb3ace2455da491efa3a22e88 Mon Sep 17 00:00:00 2001 From: "William A. Rowe Jr" Date: Mon, 16 Oct 2000 03:43:44 +0000 Subject: [PATCH] Cleaning up a _Security_ concern - Please Review Carefully git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@86608 13f79535-47bb-0310-9956-ffa450edef68 --- modules/filters/mod_include.c | 34 +++++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/modules/filters/mod_include.c b/modules/filters/mod_include.c index 30dca064e3..6fe00b5f84 100644 --- a/modules/filters/mod_include.c +++ b/modules/filters/mod_include.c @@ -672,27 +672,39 @@ static int include_cgi(char *s, request_rec *r, ap_filter_t *next) /* ensure that path is relative, and does not contain ".." elements * ensentially ensure that it does not match the regex: * (^/|(^|/)\.\.(/|$)) - * XXX: this needs os abstraction... consider c:..\foo in win32 + * XXX: Needs to become apr_is_path_relative() test */ static int is_only_below(const char *path) { #ifdef HAVE_DRIVE_LETTERS - if (path[1] == ':') + if (path[1] == ':') return 0; #endif - if (path[0] == '/') { +#ifdef NETWARE + if (strchr(path, ':') return 0; - } - if (path[0] == '.' && path[1] == '.' - && (path[2] == '\0' || path[2] == '/')) { +#endif + if (path[0] == '/') { return 0; } while (*path) { - if (*path == '/' && path[1] == '.' && path[2] == '.' - && (path[3] == '\0' || path[3] == '/')) { - return 0; - } - ++path; + int dots = 0; + while (path[dots] == '.') + ++dots; +#if defined(WIN32) + /* If the name is canonical this is redundant + * but in security, redundancy is worthwhile. + * Does OS2 belong here (accepts ... for ..)? + */ + if (dots > 1 && (!path[dots] || path[dots] == '/')) + return 0; +#else + if (dots == 2 && (!path[dots] || path[dots] == '/')) + return 0; +#endif + path += dots; + while (*path && *(path++) != '/') + ++path; } return 1; } -- 2.50.1