From nobody@hyperreal.com Wed Jun 18 08:59:15 1997 Received: (from nobody@localhost) by hyperreal.com (8.8.5/8.8.5) id IAA06193; Wed, 18 Jun 1997 08:59:15 -0700 (PDT) Message-Id: <199706181559.IAA06193@hyperreal.com> Date: Wed, 18 Jun 1997 08:59:15 -0700 (PDT) From: Chris Stratford Reply-To: chriss@uunet.pipex.com To: apbugs@hyperreal.com Subject: imap_url() loops if map file has value above server_root X-Send-Pr-Version: 3.2 >Number: 748 >Category: mod_imap >Synopsis: imap_url() loops if map file has value above server_root >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: closed >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Wed Jun 18 09:00:01 1997 >Last-Modified: Fri Aug 1 02:11:05 PDT 1997 >Originator: chriss@uunet.pipex.com >Organization: >Release: 1.2.0 >Environment: SunOS 5.5.1 Generic_103640-03 sun4m sparc SUNW,SPARCstation-20 gcc 2.7.2 >Description: If you have a map file with an entry like: rect ../../sales/index.shtml 237,5 369,22 being called from a URL like http://server.com/graphics/cell.map the imap_url function gets stuck in a loop trying to remove the second "../" The variable "directory" seems to run out of directory entries before the variable "value" runs out of dots. It seems to loop forever inside the while ( ! strncmp(value, "../", 3) || ! strcmp(value, "..") ) loop (line 457) >How-To-Repeat: See full description. >Fix: A test like: if ((!strncmp(value, "../", 3)) && (strlen(directory) == 0)) { url[0] = '\0'; log_reason("invalid directory name in map file", r->uri, r); return; } should work (I think%2 >Audit-Trail: State-Changed-From-To: open-analyzed State-Changed-By: brian State-Changed-When: Sun Jul 20 22:42:02 PDT 1997 State-Changed-Why: Excellent catch! I've got a patch I've sent to the group waiting for comment, we should see a fix in 1.2.2 and 1.3. Thanks! State-Changed-From-To: analyzed-closed State-Changed-By: dgaudet State-Changed-When: Fri Aug 1 02:11:04 PDT 1997 State-Changed-Why: A fix has been committed to 1.3a2-dev and 1.2.2-dev. Thanks. Dean >Unformatted: