I lied about fixing the /./ security hole... I almost fixed it. You
can still access the root document of a directory (i.e. index.yaws,
index.html, or a directory listing) in a www-auth protected directory by
adding either an extra slash ("//") or a "/./". You can't access any
other files, however.
So, after looking around the source code I found a very convenient place
to take care of extra slashes, "/./", and "/../".
'yaws_api:url_decode_q_split/1' accumulates the path in a list and then
reverses it at the end, so I replaced this reversal by a function that
takes care of all those cases. Hopefully www-authenticate works
perfectly now, and as side benefit yaws now properly handles "/../"
instead of returning 403. Don't worry, it is impossible to ascend
above the server root using "/../".
yaws_api now also exports "norm_path/1" for those interested in such a
On Wed, Jul 02, 2003 at 08:33:54AM -0500, Leon Smith wrote:
> yaws_api now also exports "norm_path/1" for those interested in such a=20
> function. :)
Carsten Schultz (2:40, 33:47), FB Mathematik, FU Berlin
PGP/GPG key on the pgp.net key servers,=20
fingerprint on my home page.
My last patch messes up in some cases. Consider
"/../crack/../authdir/", path_norm returns "//authdir/", which gets you
access to the directory index. Also it can do weird things on files
beginning with "..".
I'm not sure exactly what I was thinking when I wrote the last patch.
So much for early morning code :-/ Anyway I wrote out a little grammar
this time, and applied my knowledge of parsing, so this version *does*
work. I'm quite confident I can even prove it.
Carsten Schultz wrote:
>On Wed, Jul 02, 2003 at 08:33:54AM -0500, Leon Smith wrote:
>>yaws_api now also exports "norm_path/1" for those interested in such a