Ticket #1589 (closed defect: fixed)

Opened 6 months ago

Last modified 11 days ago

server.force-lowercase-filenames doesn't work inside userdir's

Reported by: anders1@… Owned by: jan
Priority: normal Milestone: 1.4.20
Component: core Version: 1.4.19
Severity: major Keywords: patch security
Cc: anders1@…, kaan@… Blocked By:
Need User Feedback: no Blocking:

Description

Hi,

I run lighttpd 1.4.19 on Linux on top of a case-insensitive filesystem (JFS with OS/2 compatibility enabled). I noticed that while lighty forces lower case filenames for files within the server.document-root, it doesn't for files in a userdir.

Example:

The original filename is test.php (works): http://andersman.org/test.php http://andersman.org/test.PHP

The original filename is test.php (shows sources !!): http://andersman.org/~anders/test.php http://andersman.org/~anders/test.PHP

Attachments

Change History

Changed 6 months ago by kaank

Changed 6 months ago by kaank

Added a patch that should solve the problem by using buffer_to_lower before assigning the path to physical.path - first patch and first real attempt at solving a lighty bug so if I've overlooked something let me know so I can correct it with this and future patches.

Changed 6 months ago by kaank

  • pending set

Changed 6 months ago by kaank

  • keywords patch added

Changed 6 months ago by kaank

  • cc kaan@… added

Changed 6 months ago by anonymous

  • keywords userdir case bug removed
  • pending unset

Changed 11 days ago by stbuehler

  • status changed from new to closed
  • resolution set to fixed

"Fixed" in [2283] - but i wouldn't use a case-insensitive filesystem if i needed a secure webserver; i guess there are more problems in that area than we will ever find.

I didn't use your patch as there is more than lowercase on windows.

Add/Change #1589 (server.force-lowercase-filenames doesn't work inside userdir's)

Author



Change Properties
<Author field>
Action
as closed
Next status will be 'reopened'
 
Note: See TracTickets for help on using tickets.