#! /bin/sh /usr/share/dpatch/dpatch-run ## 008_make_include_safe by Adam Conrad ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: Avoid including dpkg droppings in globbed includes. @DPATCH@ --- apache2-2.2.0/server/config.c 2005-11-17 13:39:15.000000000 +0000 +++ apache2-2.2.0/server/config.c 2006-01-27 17:06:19.000000000 +0000 @@ -34,6 +34,7 @@ #include "apr_portable.h" #include "apr_file_io.h" #include "apr_fnmatch.h" +#include "apr_lib.h" #define APR_WANT_STDIO #define APR_WANT_STRFUNC @@ -1521,6 +1522,30 @@ return strcmp(f1->fname,f2->fname); } +static int fname_valid(const char *fname) { + const unsigned char *c = fname; + unsigned char bad_dpkg[] = "*.dpkg*"; + + if (!apr_isalnum(*c)) { + return 0; + } + ++c; + + + while (*c) { + if (!apr_isalnum(*c) && *c!='_' && *c!='-' && *c!='.') { + return 0; + } + ++c; + } + + if (!apr_fnmatch(bad_dpkg, fname, 0)) { + return 0; + } + + return 1; +} + static const char *process_resource_config_nofnmatch(server_rec *s, const char *fname, ap_directive_t **conftree, @@ -1564,7 +1589,8 @@ while (apr_dir_read(&dirent, APR_FINFO_DIRENT, dirp) == APR_SUCCESS) { /* strip out '.' and '..' */ if (strcmp(dirent.name, ".") - && strcmp(dirent.name, "..")) { + && strcmp(dirent.name, "..") + && fname_valid(dirent.name)) { fnew = (fnames *) apr_array_push(candidates); fnew->fname = ap_make_full_path(p, path, dirent.name); } @@ -1692,7 +1718,8 @@ if (strcmp(dirent.name, ".") && strcmp(dirent.name, "..") && (apr_fnmatch(pattern, dirent.name, - APR_FNM_PERIOD) == APR_SUCCESS)) { + APR_FNM_PERIOD) == APR_SUCCESS) + && fname_valid(dirent.name)) { fnew = (fnames *) apr_array_push(candidates); fnew->fname = ap_make_full_path(p, path, dirent.name); }