From 304f5cb2c82cd5636a69abd3c221d267980d9ea3 Mon Sep 17 00:00:00 2001 From: "William A. Rowe Jr" Date: Thu, 23 Aug 2001 22:17:19 +0000 Subject: [PATCH] Increase security in core.c by testing (as we merge the path) that the URI does not go above the DocumentRoot (as defined by the OS, not by the URI specification), and give us the true name. When we are done, note the name is canonical for directory_walk. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@90593 13f79535-47bb-0310-9956-ffa450edef68 --- server/core.c | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/server/core.c b/server/core.c index 50b464f1ef..9f18233082 100644 --- a/server/core.c +++ b/server/core.c @@ -2911,8 +2911,14 @@ AP_DECLARE_NONSTD(int) ap_core_translate(request_rec *r) && (r->server->path[r->server->pathlen - 1] == '/' || r->uri[r->server->pathlen] == '/' || r->uri[r->server->pathlen] == '\0')) { - r->filename = apr_pstrcat(r->pool, conf->ap_document_root, - (r->uri + r->server->pathlen), NULL); + if (apr_filepath_merge(r->filename, conf->ap_document_root, + r->uri + r->server->pathlen, + APR_FILEPATH_TRUENAME + | APR_SECUREROOT_TEST, r->pool) + != APR_SUCCESS) { + return HTTP_FORBIDDEN; + } + r->canonical_filename == r->filename; } else { /* @@ -2920,15 +2926,14 @@ AP_DECLARE_NONSTD(int) ap_core_translate(request_rec *r) * /'s in a row. This happens under windows when the document * root ends with a / */ - if ((conf->ap_document_root[strlen(conf->ap_document_root)-1] == '/') - && (*(r->uri) == '/')) { - r->filename = apr_pstrcat(r->pool, conf->ap_document_root, r->uri+1, - NULL); - } - else { - r->filename = apr_pstrcat(r->pool, conf->ap_document_root, r->uri, - NULL); - } + if (apr_filepath_merge(r->filename, conf->ap_document_root, + r->uri + (*(r->uri) == '/') ? 1 : 0, + APR_FILEPATH_TRUENAME + | APR_SECUREROOT_TEST, r->pool) + != APR_SUCCESS) { + return HTTP_FORBIDDEN; + } + r->canonical_filename == r->filename; } return OK; -- 2.50.1