[src/trunk]: src/libexec/httpd Avoid .htpasswd exposure to authenticated user...

[leot <leot%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/9c6fd91752fc
branches:  trunk
changeset: 446711:9c6fd91752fc
user:      leot <leot%NetBSD.org@localhost>
date:      Sat Dec 15 12:39:22 2018 +0000

description:
Avoid .htpasswd exposure to authenticated users when .htpasswd is
in the slashdir too.

Problem reported by JP via tech-security@ and discussed with <mrg>, thanks!

diffstat:

 libexec/httpd/bozohttpd.c |  4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diffs (18 lines):

diff -r b3f9c28c26ca -r 9c6fd91752fc libexec/httpd/bozohttpd.c
--- a/libexec/httpd/bozohttpd.c Sat Dec 15 12:08:18 2018 +0000
+++ b/libexec/httpd/bozohttpd.c Sat Dec 15 12:39:22 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: bozohttpd.c,v 1.104 2018/12/15 09:28:27 leot Exp $     */
+/*     $NetBSD: bozohttpd.c,v 1.105 2018/12/15 12:39:22 leot Exp $     */
 
 /*     $eterna: bozohttpd.c,v 1.178 2011/11/18 09:21:15 mrg Exp $      */
 
@@ -1467,7 +1467,7 @@
        } else if (basename == NULL) {
                strcpy(path, ".");
                strcpy(dir, "");
-               basename = dir;
+               basename = request->hr_file + 1;
        } else {
                *basename++ = '\0';
                strcpy(path, dir);