re: bozo .htpasswd exposure

To: JP <rlntlss83%gmail.com@localhost>
Subject: re: bozo .htpasswd exposure
From: matthew green <mrg%eterna.com.au@localhost>
Date: Wed, 21 Nov 2018 20:41:19 +1100

OK, i've commited fixes for all these problems to -current.

one additional comment:

> (Additionally, the "|| basename[1]" part of the if clause seems to make
> assumptions of the contents of basename[0] and it seems could lead to
> bypassing the check_special_files call in the case of one-character-long
> directory names; but this statement needs more research)

this conditional sould be OK.  either basename is NULL or
it points to a non-nul char of a nul-terminated string,
so basename[1] should be valid to check.

thanks again for your research finding flaws in bozohttpd.


.mrg.

Follow-Ups:
- Re: bozo .htpasswd exposure
  - From: JP

References:
- Re: bozo .htpasswd exposure
  - From: JP

Prev by Date: re: bozo .htpasswd exposure
Next by Date: unsafe file permissions on /usr/bin/login
Previous by Thread: Re: bozo .htpasswd exposure
Next by Thread: Re: bozo .htpasswd exposure
Indexes:

Home | Main Index | Thread Index | Old Index