Ticket #526 (closed defect: duplicate)

Opened 3 years ago

Last modified 2 years ago

SSI includes with sub-directory (take2) - patch included

Reported by: marc@… Owned by: jan
Priority: high Milestone:
Component: mod_ssi Version: 1.4.10
Severity: normal Keywords: ssi include subdir
Cc: Blocked By:
Need User Feedback: Blocking:

Description

The following patch solves the sub-directory problem in #include file="argument" and makes sure no forbidden strings are part of the argument: 

--- mod_ssi.c.dist      2006-02-10 13:33:00.000000000 -0500
+++ mod_ssi.c  2006-02-15 12:38:00.000000000 -0500
@@ -513,18 +513,17 @@

                if (file_path) {
                        /* current doc-root */
+
+                       // skip if file_path contains forbidden strings
+                       if (file_path[0] == '/' || strstr(file_path, "../")) break;
+
                        if (NULL == (sl = strrchr(con->physical.path->ptr, '/'))) {
                                buffer_copy_string(p->stat_fn, "/");
                        } else {
                                buffer_copy_string_len(p->stat_fn, con->physical.path->ptr, sl - con->physical.path->ptr + 1);
                        }

-                       /* fn */
-                       if (NULL == (sl = strrchr(file_path, '/'))) {
-                               buffer_append_string(p->stat_fn, file_path);
-                       } else {
-                               buffer_append_string(p->stat_fn, sl + 1);
-                       }
+                       buffer_append_string(p->stat_fn, file_path);
                } else {
                        /* virtual */

Attachments

Change History

Changed 3 years ago by conny

  • status changed from new to closed
  • resolution set to duplicate

Merging with the ticket #462.

Add/Change #526 (SSI includes with sub-directory (take2) - patch included)

Author



Change Properties
<Author field>
Action
as closed
Next status will be 'reopened'
 
Note: See TracTickets for help on using tickets.