[Resent because hyperreal may have lost this for some people]
New patch uploaded, which should conform to Andrew's description.
I misread the spec; the crappy netscape font made '../ cannot be used in this
pathname' look like '/ cannot be used in this pathname'
[Memo; make sure any dots are in <code>]
31a_include.0.8.15.patch
------------------------
Subject: SSI #include file="/foo/bar" shouldn't work
Affects: mod_include.c
ChangeLog: Disallow includes of files not in the same directory as, or
sub-directory of, the .shtml file.
*** mod_include.c.orig Tue Oct 10 23:00:31 1995
--- mod_include.c Thu Oct 19 14:39:35 1995
***************
*** 360,372 ****
if(!(tag_val = get_tag(r->pool, in, tag, MAX_STRING_LEN, 1)))
return 1;
if(!strcmp(tag,"file") || !strcmp (tag, "virtual")) {
! request_rec *rr =
! (tag[0] == 'f')?
! sub_req_lookup_file (tag_val, r) :
! sub_req_lookup_uri (tag_val, r);
char *error_fmt = NULL;
! if (rr->status != 200)
error_fmt = "unable to include %s in parsed file %s";
if (!error_fmt && noexec && rr->content_type
--- 360,380 ----
if(!(tag_val = get_tag(r->pool, in, tag, MAX_STRING_LEN, 1)))
return 1;
if(!strcmp(tag,"file") || !strcmp (tag, "virtual")) {
! request_rec *rr=NULL;
char *error_fmt = NULL;
+
+ if (tag[0] == 'f')
+ { /* be safe; only files in this directory or below allowed */
+ char tmp[MAX_STRING_LEN+2];
+ sprintf(tmp, "/%s/", tag_val);
+ if (tag_val[0] == '/' || strstr(tmp, "/../") != NULL)
+ error_fmt = "unable to include file %s in parsed file %s";
+ else
+ rr = sub_req_lookup_file (tag_val, r);
+ } else
+ rr = sub_req_lookup_uri (tag_val, r);
! if (!error_fmt && rr->status != 200)
error_fmt = "unable to include %s in parsed file %s";
if (!error_fmt && noexec && rr->content_type
***************
*** 383,389 ****
rprintf(r,"%s",error);
}
! destroy_sub_req (rr);
}
else if(!strcmp(tag,"done"))
return 0;
--- 391,397 ----
rprintf(r,"%s",error);
}
! if (rr != NULL) destroy_sub_req (rr);
}
else if(!strcmp(tag,"done"))
return 0;
New patch uploaded, which should conform to Andrew's description.
I misread the spec; the crappy netscape font made '../ cannot be used in this
pathname' look like '/ cannot be used in this pathname'
[Memo; make sure any dots are in <code>]
31a_include.0.8.15.patch
------------------------
Subject: SSI #include file="/foo/bar" shouldn't work
Affects: mod_include.c
ChangeLog: Disallow includes of files not in the same directory as, or
sub-directory of, the .shtml file.
*** mod_include.c.orig Tue Oct 10 23:00:31 1995
--- mod_include.c Thu Oct 19 14:39:35 1995
***************
*** 360,372 ****
if(!(tag_val = get_tag(r->pool, in, tag, MAX_STRING_LEN, 1)))
return 1;
if(!strcmp(tag,"file") || !strcmp (tag, "virtual")) {
! request_rec *rr =
! (tag[0] == 'f')?
! sub_req_lookup_file (tag_val, r) :
! sub_req_lookup_uri (tag_val, r);
char *error_fmt = NULL;
! if (rr->status != 200)
error_fmt = "unable to include %s in parsed file %s";
if (!error_fmt && noexec && rr->content_type
--- 360,380 ----
if(!(tag_val = get_tag(r->pool, in, tag, MAX_STRING_LEN, 1)))
return 1;
if(!strcmp(tag,"file") || !strcmp (tag, "virtual")) {
! request_rec *rr=NULL;
char *error_fmt = NULL;
+
+ if (tag[0] == 'f')
+ { /* be safe; only files in this directory or below allowed */
+ char tmp[MAX_STRING_LEN+2];
+ sprintf(tmp, "/%s/", tag_val);
+ if (tag_val[0] == '/' || strstr(tmp, "/../") != NULL)
+ error_fmt = "unable to include file %s in parsed file %s";
+ else
+ rr = sub_req_lookup_file (tag_val, r);
+ } else
+ rr = sub_req_lookup_uri (tag_val, r);
! if (!error_fmt && rr->status != 200)
error_fmt = "unable to include %s in parsed file %s";
if (!error_fmt && noexec && rr->content_type
***************
*** 383,389 ****
rprintf(r,"%s",error);
}
! destroy_sub_req (rr);
}
else if(!strcmp(tag,"done"))
return 0;
--- 391,397 ----
rprintf(r,"%s",error);
}
! if (rr != NULL) destroy_sub_req (rr);
}
else if(!strcmp(tag,"done"))
return 0;