Re: CVS commit: src/libexec/httpd

[Alistair Crooks <agc%pkgsrc.org@localhost>]

On Fri, Nov 21, 2014 at 08:54:12AM +0000, Mateusz Kocielski wrote:
> Module Name:	src
> Committed By:	shm
> Date:		Fri Nov 21 08:54:12 UTC 2014
> 
> Modified Files:
> 	src/libexec/httpd: bozohttpd.c
> 
> Log Message:
> Fixed off-by-one in virtualhost processing. Previous code was checking if
> Host header is a prefix of any existing vhost. This behaviour might be used to
> uncover existing vitual hosts from the remote.
> 
> OK @mrg
> 
> 
> To generate a diff of this commit:
> cvs rdiff -u -r1.57 -r1.58 src/libexec/httpd/bozohttpd.c
> 
> Please note that diffs are not public domain; they are subject to the
> copyright notices on the relevant files.
> 

> Modified files:
> 
> Index: src/libexec/httpd/bozohttpd.c
> diff -u src/libexec/httpd/bozohttpd.c:1.57 src/libexec/httpd/bozohttpd.c:1.58
> --- src/libexec/httpd/bozohttpd.c:1.57	Fri Oct 10 05:10:59 2014
> +++ src/libexec/httpd/bozohttpd.c	Fri Nov 21 08:54:12 2014
> @@ -1,4 +1,4 @@
> -/*	$NetBSD: bozohttpd.c,v 1.57 2014/10/10 05:10:59 mrg Exp $	*/
> +/*	$NetBSD: bozohttpd.c,v 1.58 2014/11/21 08:54:12 shm Exp $	*/
>  
>  /*	$eterna: bozohttpd.c,v 1.178 2011/11/18 09:21:15 mrg Exp $	*/
>  
> @@ -1093,8 +1093,8 @@ check_virtual(bozo_httpreq_t *request)
>  				}
>  				debug((httpd, DEBUG_OBESE, "looking at dir``%s''",
>  			 	   d->d_name));
> -				if (strncasecmp(d->d_name, request->hr_host,
> -				    len) == 0) {
> +				if (d->d_namlen == len && strcmp(d->d_name,
> +				    request->hr_host) == 0) {

I think we gained cASe-seNsItiVITy with this?

>  					/* found it, punch it */
>  					debug((httpd, DEBUG_OBESE, "found it punch it"));
>  					request->hr_virthostname =
>