Hosting Provided By

DO NOT REPLY [Bug 14147] New: - patch for filename truncation bug in ap_directory_walk

From: <bugzilla(at)apache.org>
Date: Thu Oct 31 2002 - 15:51:17 EST

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14147>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14147

patch for filename truncation bug in ap_directory_walk

           Summary: patch for filename truncation bug in ap_directory_walk
           Product: Apache httpd-2.0
           Version: 2.0.43
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: debug@gooddan.com

Apache will, in some cases, truncate the last character of a filename causing it to either not find the file or serve the wrong file. Below are steps to reproduce the bug, part of a gdb debugging session showing the code that causes the bug, and a small patch to fix the bug.

This is probably the cause for the symptoms seen in bug #10687. I first encountered the problem when a customer was trying to do a virtual include of a file via mod_include SSI. The error log consistently showed apache failing to find a file whose name was one character shorter than the desired file. Here is an example.

$ cd ~user04

$ cat html/1/index.shtml

    <html>
    <body>
    test<br>

$ cat html/2/in.html

This is in.html

$ wget -q -O - http://sf1000.registeredsite.com/~user04/1/
    <html>
    <body>
    test<br>
    [an error occurred while processing this directive]     </body>
    </html>

Do you need help?

$ cat /usr/apache/logs/error.log.1036095600
[Thu Oct 31 15:20:12 2002] [user04] [error] [client 209.35.187.200]

     (2)No such file or directory: file permissions deny server access:
     /home/r/t/user04/html/2/in.htm
    [Thu Oct 31 15:20:12 2002] [user04] [error] [client 209.35.187.200]
     unable to include "../2/in.html" in parsed file
     /home/r/t/user04/html/1/index.shtml

Here is part of a debugging session where the code causing the bug can be seen in action. Starting with line 1066 from server/request.c in ap_directory_walk, the code reaches a goto at line 1100. This jumps back into a loop that spans lines 731-1057. The code proceeds to lines 920 and 921 where the last character of the filname is truncated. Lines 920 and 921 originally served to take off a temporary slash added in lines 740-744 in an earlier pass through the loop, but the boolean variable 'temp_slash' is still true when the goto jumps back into the loop.

(gdb) n
1066 if (save_path_info) {
(gdb)
1080 for (; sec_idx < num_sec; ++sec_idx) { (gdb)

1083                entry_core = ap_get_module_config(sec_ent[sec_idx],

&core_module);
(gdb)

1085                if (!entry_core->r) {
(gdb)
1089                if (ap_regexec(entry_core->r, r->filename, 0, NULL,

REG_NOTEOL)) {
(gdb)

1095                if (matches) {
(gdb)
1096                    if (last_walk->matched == sec_ent[sec_idx]) {
(gdb)
1097                        now_merged = last_walk->merged;
(gdb)
1098                        ++last_walk;
(gdb)
1099                        --matches;
(gdb)
1100                        goto minimerge;
(gdb)
813                     this_dir = ap_get_module_config(sec_ent[sec_idx],

&core_module);
(gdb)

815                     if (!this_dir) {
(gdb)
819                     if (this_dir->opts & OPT_UNSET) {
(gdb)
827                         opts = this_dir->opts;
(gdb)
828                         opts_add = this_dir->opts_add;
(gdb)
829                         opts_remove = this_dir->opts_remove;
(gdb)
832                     if (!(this_dir->override & OR_UNSET)) {
(gdb)
835                 }
(gdb)
751                     ap_conf_vector_t *entry_config = sec_ent[sec_idx];
(gdb)
753                     entry_core = ap_get_module_config(entry_config,
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related httpd.apache.org Links
announce
bugs
cvs
dev
docs
gui-dev
modproxy-dev
packagers
testers
Request more information about Pantek

&core_module);
(gdb)

758                     if (entry_core->r || entry_core->d_components > seg) {
(gdb)
840                 if (seg >= startseg && override) {
(gdb)
841                     ap_conf_vector_t *htaccess_conf = NULL;
(gdb)
843                     res = ap_parse_htaccess(&htaccess_conf, r, override,
(gdb)
846                     if (res) {
(gdb)
850                     if (htaccess_conf) {
(gdb)
920                 if (temp_slash) {
(gdb)
921                     r->filename[--filename_len] = '\0';

The patch below ensures the boolean is set back to false when it has served its purpose, and as an added precaution, checks that the character about to be truncated is a slash.

request.c.bak Tue Oct 22 10:20:09 2002 +++ request.c Tue Oct 22 10:20:11 2002 @@ -918,6 +918,8 @@ /* That temporary trailing slash was useful, now drop it. */ if (temp_slash) { + temp_slash = 0; + if (r->filename[filename_len-1] == '/') r->filename[--filename_len] = '\0'; }

To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org For additional commands, e-mail: bugs-help@httpd.apache.org Received on Thu Oct 31 20:50:22 2002

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 16:44:01 EDT