Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/libexec/httpd Avoid .htpasswd exposure to authenticated user...
details: https://anonhg.NetBSD.org/src/rev/3fbc1c861176
branches: trunk
changeset: 837691:3fbc1c861176
user: leot <leot%NetBSD.org@localhost>
date: Sat Dec 15 12:39:22 2018 +0000
description:
Avoid .htpasswd exposure to authenticated users when .htpasswd is
in the slashdir too.
Problem reported by JP via tech-security@ and discussed with <mrg>, thanks!
diffstat:
libexec/httpd/bozohttpd.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diffs (18 lines):
diff -r 43463d1cc503 -r 3fbc1c861176 libexec/httpd/bozohttpd.c
--- a/libexec/httpd/bozohttpd.c Sat Dec 15 12:08:18 2018 +0000
+++ b/libexec/httpd/bozohttpd.c Sat Dec 15 12:39:22 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: bozohttpd.c,v 1.104 2018/12/15 09:28:27 leot Exp $ */
+/* $NetBSD: bozohttpd.c,v 1.105 2018/12/15 12:39:22 leot Exp $ */
/* $eterna: bozohttpd.c,v 1.178 2011/11/18 09:21:15 mrg Exp $ */
@@ -1467,7 +1467,7 @@
} else if (basename == NULL) {
strcpy(path, ".");
strcpy(dir, "");
- basename = dir;
+ basename = request->hr_file + 1;
} else {
*basename++ = '\0';
strcpy(path, dir);
Home |
Main Index |
Thread Index |
Old Index