Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Apache>
  3. Dev
B60 uploaded: leading slash bug
drtr at ast
Apr 7, 1995, 4:07 PM
Post #1 of 5 (1442 views)
Permalink
I've uploaded B60-leading-slash.txt, which fixes this bug:

Requesting a resource without a leading slash will:
* not work (not a problem as it could only come from an invalid URL)
* cause a possible security breach; if docroot is /htdocs then
GET -secret/passwd HTTP/1.0

will cause httpd to access /htdocs-secret/passwd

David.
Re: B60 uploaded: leading slash bug [ In reply to ]
hartill at ooo
Apr 7, 1995, 1:34 PM
Post #2 of 5 (1412 views)
Permalink
> I've uploaded B60-leading-slash.txt, which fixes this bug:

> Requesting a resource without a leading slash will:
> * not work (not a problem as it could only come from an invalid URL)
> * cause a possible security breach; if docroot is /htdocs then
> GET -secret/passwd HTTP/1.0
>
> will cause httpd to access /htdocs-secret/passwd

Here's what I see, this doesn't look right.

>telnet ooo 80
Trying...
Connected to ooo.lanl.gov.
Escape character is '^]'.
GET weee HTTP/1.0

HTTP/1.0 302 Found
Date: Friday, 07-Apr-95 19:25:42 GMT
Server: Apache/0.4
Location: http://ooo.lanl.govweee
Content-type: text/html

<HEAD><TITLE>Document moved</TITLE></HEAD>
<BODY><H1>Document moved</H1>
This document has moved <A HREF="http://ooo.lanl.govweee">here</A>.<P>
</BODY>
Connection closed by foreign host.


-=-=-=-=-
1.3 gives....

>telnet xxx 80
Trying...
Connected to xxx.lanl.gov.
Escape character is '^]'.
GET wee HTTP/1.0

HTTP/1.0 404 Not Found
Date: Friday, 07-Apr-95 19:29:54 GMT
Server: NCSA/1.3
MIME-version: 1.0
Content-type: text/html

<HEAD><TITLE>404 Not Found</TITLE></HEAD>
<BODY><H1>404 Not Found</H1>
The requested URL wee was not found on this server.<P>
</BODY>
Connection closed by foreign host.


did I mess something up ?

robh
Re: B60 uploaded: leading slash bug [ In reply to ]
hartill at ooo
Apr 7, 1995, 1:44 PM
Post #3 of 5 (1421 views)
Permalink
>
>
> > I've uploaded B60-leading-slash.txt, which fixes this bug:
>
> > Requesting a resource without a leading slash will:
> > * not work (not a problem as it could only come from an invalid URL)
> > * cause a possible security breach; if docroot is /htdocs then
> > GET -secret/passwd HTTP/1.0
> >
> > will cause httpd to access /htdocs-secret/passwd
>

I'd like to suggest that B60 be modified.

Replace

+ strsubfirst(0, name, "/");

with

+ die(NOT_FOUND, name, fd);


That way a missing leading '/' immediately returns with a "Not Found" -
attempting to repair the damage is probably not a good thing to
do anyway - it'll incourage even more sloppy URLs


robh
Re: B60 uploaded: leading slash bug [ In reply to ]
rst at ai
Apr 7, 1995, 3:52 PM
Post #4 of 5 (1416 views)
Permalink
Better yet --- die with a 400 (Malformed request) --- that's what
these things are.

rst
Re: B60 uploaded: leading slash bug [ In reply to ]
drtr at ast
Apr 8, 1995, 10:23 PM
Post #5 of 5 (1419 views)
Permalink
>I'd like to suggest that B60 be modified.
>Replace
>+ strsubfirst(0, name, "/");
>with
>+ die(NOT_FOUND, name, fd);
Yes, thats much better. Can someone make this change on the patch at hyperreal,
as its not convenient for me to do it right now?

David.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal