Mon Sep 20 21:58:43 2010 UTC ()

fix a serious error in virtual hosting support, noticed by seanb@netbsd,
and disallow ".." as a virtual host name!  also ".".

patch from sean.


(mrg)

diff -r1.22 -r1.23 src/libexec/httpd/bozohttpd.c

--- src/libexec/httpd/bozohttpd.c 2010/07/11 03:13:08	1.22
+++ src/libexec/httpd/bozohttpd.c 2010/09/20 21:58:43	1.23

 @@ -1,14 +1,14 @@
-/*	$NetBSD: bozohttpd.c,v 1.22 2010/07/11 03:13:08 mrg Exp $	*/
+/*	$NetBSD: bozohttpd.c,v 1.23 2010/09/20 21:58:43 mrg Exp $	*/
 /*	$eterna: bozohttpd.c,v 1.174 2010/06/21 06:47:23 mrg Exp $	*/
 /*
  * Copyright (c) 1997-2010 Matthew R. Green
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
 @@ -981,38 +981,50 @@ check_virtual(bozo_httpreq_t *request)
 	/*
 	 * ok, we have a virtual host, use scandir(3) to find a case
 	 * insensitive match for the virtual host we are asked for.
 	 * note that if the virtual host is the same as the master,
 	 * we don't need to do anything special.
 	 */
 	len = strlen(request->hr_host);
 	debug((httpd, DEBUG_OBESE,
 	    "check_virtual: checking host `%s' under httpd->virtbase `%s' "
 	    "for file `%s'",
 	    request->hr_host, httpd->virtbase, request->hr_file));
 	if (strncasecmp(httpd->virthostname, request->hr_host, len) != 0) {
 		s = 0;
-		for (i = scandir(httpd->virtbase, &list, 0, 0); i--; list++) {
+		if ((dirp = opendir(httpd->virtbase)) != NULL) {
-			debug((httpd, DEBUG_OBESE, "looking at dir``%s''",
+			while ((d = readdir(dirp)) != NULL) {
-			    (*list)->d_name));
+				if (strcmp(d->d_name, ".") == 0 ||
-			if (strncasecmp((*list)->d_name, request->hr_host,
+				    strcmp(d->d_name, "..") == 0) {
-			    len) == 0) {
+					continue;
 				/* found it, punch it */
-				httpd->virthostname = (*list)->d_name;
+				debug((httpd, DEBUG_OBESE, "looking at dir``%s''",
-				if (asprintf(&s, "%s/%s", httpd->virtbase,
+			 	   d->d_name));
-						httpd->virthostname) < 0)
+				if (strncasecmp(d->d_name, request->hr_host,
-					bozo_err(httpd, 1, "asprintf");
+				    len) == 0) {
-				break;
+					/* found it, punch it */
 					debug((httpd, DEBUG_OBESE, "found it punch it"));
 					httpd->virthostname = d->d_name;
 					if (asprintf(&s, "%s/%s", httpd->virtbase,
 					    httpd->virthostname) < 0)
 						bozo_err(httpd, 1, "asprintf");
 					break;
+				}
+			}
 			closedir(dirp);
+		}
 		else {
 			debug((httpd, DEBUG_FAT, "opendir %s failed: %s",
 			    httpd->virtbase, strerror(errno)));
+		}
 		if (s == 0) {
 			if (httpd->unknown_slash)
 				goto use_slashdir;
 			return bozo_http_error(httpd, 404, request,
 						"unknown URL");
+		}
 	} else
 use_slashdir:
 		s = httpd->slashdir;
 	/*
 	 * ok, nailed the correct slashdir, chdir to it