#2 Security patch 2 for Pi3Web 2.0 beta 2

closed-fixed
nobody
None
9
2002-05-09
2002-01-18
No

There's a problem with Pi3Web 2.0 CGI handler for physical paths, which are
exactly MAX_PATH (260) bytes long. The problem does exist due to a specific
behaviour of the Windows API, which isn't handled correctly by the server.

The problem is limited to Pi3Web 2.0 on Win32 only. Linux or Solaris aren't
affected. Older versions of Pi3Web aren't affected.

The patch is also available in the download area. The patch no. 1 may be applied
but isn't required. If patch no. 1 was applied it is recommended to apply also this
patch.

Extract the archive and replace the DLL's in Pi3Web/bin. Restart the server.

A configuration based workaround for this problem is also possible by addition
of the following line in object Scripts, e.g. in Pi3Web/Conf/Config.pi3:

<Object>
Name Scripts
Class FlexibleHandlerClass
Condition "&cmp(&dblookup(response,string,ObjectMap),Scripts)"
# line added to check for script names ending on '.'
CheckPath Condition="&regexp(*.,$z)" StatusCode StatusCode="404"
...

Discussion

  • Logged In: YES
    user_id=131660

    Don't apply the patch to the beta 2 anymore but upgrade to the 2.00 release distribution instead.

     
    • status: open --> closed-fixed