More changes to support fix for DirectoryIndex/stat() problem.

Reviewed by: Randy Terbush
Submitted by: Marc Slemko

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3@77424 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/RELEASE_1_1_X/src/main/http_request.c b/RELEASE_1_1_X/src/main/http_request.c
index a5426de71bbac37a82b58e4a5891e51fc83ae99f..180c2651af0511468927cac055990f968ac6f75b 100644 (file)
--- a/RELEASE_1_1_X/src/main/http_request.c
+++ b/RELEASE_1_1_X/src/main/http_request.c
@@ -197,7 +197,7 @@ int get_path_info(request_rec *r)
        } 
 #if defined(ENOENT)
        else {
-           log_reason("unable to determine if index file exists (stat() returned unexpected error)", r->filename, r);
+           log_printf(r->server, "access to %s failed for client; unable to determine if index file exists (stat() returned unexpected error)", r->filename);
            return FORBIDDEN;
        }
 #endif

diff --git a/RELEASE_1_1_X/src/modules/standard/mod_autoindex.c b/RELEASE_1_1_X/src/modules/standard/mod_autoindex.c
index c30b57c58d37d5120dfcdaf168b8fb0a4c34fa5f..4a15725279f4c33d87bfcd98cf22f92c62c01fe9 100644 (file)
--- a/RELEASE_1_1_X/src/modules/standard/mod_autoindex.c
+++ b/RELEASE_1_1_X/src/modules/standard/mod_autoindex.c
@@ -768,6 +768,7 @@ int handle_dir (request_rec *r)
       (dir_config_rec *)get_module_config (r->per_dir_config, &dir_module);
     char *names_ptr = d->index_names ? d->index_names : DEFAULT_INDEX;
     int allow_opts = allow_options (r);
+    int error_notfound = 0;
 
     if (r->uri[0] == '\0' || r->uri[strlen(r->uri)-1] != '/') {
        char* ifile;
@@ -808,9 +809,24 @@ int handle_dir (request_rec *r)
            return OK;
        }
 
-        destroy_sub_req (rr);
+       /* If the request returned something other than 404 (or 200),
+        * it means the module encountered some sort of problem. To be
+        * secure, we should return the error, rather than create
+        * along a (possibly unsafe) directory index.
+        *
+        * So we store the error, and if none of the listed files
+        * exist, we return the last error response we got, instead
+        * of a directory listing.
+        */
+       if (rr->status && rr->status != 404 && rr->status != 200)
+           error_notfound = rr->status;
+
+       destroy_sub_req (rr);
     }
 
+    if (error_notfound)
+       return error_notfound;
+ 
     if (r->method_number != M_GET) return NOT_IMPLEMENTED;
     
     /* OK, nothing easy.  Trot out the heavy artillery... */

diff --git a/RELEASE_1_1_X/src/modules/standard/mod_dir.c b/RELEASE_1_1_X/src/modules/standard/mod_dir.c
index c30b57c58d37d5120dfcdaf168b8fb0a4c34fa5f..4a15725279f4c33d87bfcd98cf22f92c62c01fe9 100644 (file)
--- a/RELEASE_1_1_X/src/modules/standard/mod_dir.c
+++ b/RELEASE_1_1_X/src/modules/standard/mod_dir.c
@@ -768,6 +768,7 @@ int handle_dir (request_rec *r)
       (dir_config_rec *)get_module_config (r->per_dir_config, &dir_module);
     char *names_ptr = d->index_names ? d->index_names : DEFAULT_INDEX;
     int allow_opts = allow_options (r);
+    int error_notfound = 0;
 
     if (r->uri[0] == '\0' || r->uri[strlen(r->uri)-1] != '/') {
        char* ifile;
@@ -808,9 +809,24 @@ int handle_dir (request_rec *r)
            return OK;
        }
 
-        destroy_sub_req (rr);
+       /* If the request returned something other than 404 (or 200),
+        * it means the module encountered some sort of problem. To be
+        * secure, we should return the error, rather than create
+        * along a (possibly unsafe) directory index.
+        *
+        * So we store the error, and if none of the listed files
+        * exist, we return the last error response we got, instead
+        * of a directory listing.
+        */
+       if (rr->status && rr->status != 404 && rr->status != 200)
+           error_notfound = rr->status;
+
+       destroy_sub_req (rr);
     }
 
+    if (error_notfound)
+       return error_notfound;
+ 
     if (r->method_number != M_GET) return NOT_IMPLEMENTED;
     
     /* OK, nothing easy.  Trot out the heavy artillery... */