[581] in WWW Security List Archive
No subject found in mail header
daemon@ATHENA.MIT.EDU (Steff Watkins)
Thu Apr 13 08:31:41 1995
From: Steff Watkins <Steff.Watkins@Bristol.ac.uk>
To: www-security@ns2.rutgers.edu
Date: Thu, 13 Apr 1995 08:54:50 +0100 (BST)
Errors-To: owner-www-security@ns2.rutgers.edu
> In http_access.c, function evalute_access:
>
> if(S_ISDIR(finfo->st_mode)) strcpy_dir(path,p);
> else strcpy(path,p);
>
> The second strcpy is copying a filename (again, potentially 8192 characters)
> into a local buffer (256 characters.)
>
> Some scary info:
>
> {nic} grep strcpy *.c | wc -l
> 123
> {nic} grep sprintf *.c |wc -l
> 51
>
> There are more holes here, folks.
Hello,
forgive me if I seem a complete twonk but...
a> Wouldn't it be easy(-ish) to either A> use some form of a malloc()
assignment routine for "path" or B> make the definition of "path2 a lot
bigger..
OR
b> put a limiter statemnet into the code ie.
if (strlen(p) > SOME_VALUE)
{
/* put the rest of the code here */
}
else { /* Gibber gibber */}
Possible gibber.. not ALL the sprintf's and strcpy's in the C code files
are to do with copying the pathname, and as such, they're NOT all going to
cause this problem.
Sorry.. just seems that you're being a bit alarmist here!!!
Steff
* RFC-822 : Steff.Watkins@bristol.ac.uk *
* X-400 : /G=steff/S=watkins/O=bristol/PRMD=UK.AC/ADMD= /C=GB/ *
* "How can you say my point of view is screwed when you so readily accept *
* wave-particle duality????" *
