summaryrefslogtreecommitdiffstats
path: root/mod_suphp-0.6.1-userdir.patch
diff options
context:
space:
mode:
Diffstat (limited to 'mod_suphp-0.6.1-userdir.patch')
-rw-r--r--mod_suphp-0.6.1-userdir.patch248
1 files changed, 248 insertions, 0 deletions
diff --git a/mod_suphp-0.6.1-userdir.patch b/mod_suphp-0.6.1-userdir.patch
new file mode 100644
index 0000000..fab7dfa
--- /dev/null
+++ b/mod_suphp-0.6.1-userdir.patch
@@ -0,0 +1,248 @@
+From miles at lubin.us Sat Dec 3 01:21:51 2005
+From: miles at lubin.us (Miles Lubin)
+Date: Sat Dec 3 01:23:25 2005
+Subject: [suPHP] mod_userdir patch for 0.6.1
+Message-ID: <4390E51F.3080506@lubin.us>
+
+Attached is the mod_userdir patch updated to 0.6.1.
+
+The patch allows suphp to correctly handle permissions with user sites,
+generated by mod_suphp; instead of using the permissions of the main
+site for force and paranoid mode, it will use the permissions of the
+correct user.
+
+Changes from 0.6.0 patch:
+- handle_userdir is enabled by default, set handle_userdir=false in
+/etc/suphp.conf to disable it
+- check the length of the url argument in checkUserDir() (a theoretical
+security issue, though not exploitable)
+- made the code more conforming to the suphp's coding style
+
+
+Miles Lubin
+
+-------------- next part --------------
+diff -ur suphp-0.6.1/doc/CONFIG suphp-0.6.1-userdir/doc/CONFIG
+--- suphp-0.6.1/doc/CONFIG 2005-11-26 14:45:49.000000000 -0500
++++ suphp-0.6.1-userdir/doc/CONFIG 2005-12-02 15:07:41.000000000 -0500
+@@ -95,6 +95,11 @@
+ Minimum GID allowed to execute scripts.
+ Defaults to compile-time value.
+
++handle_userdir:
++ Handle sites created by mod_userdir.
++ Scripts on userdir sites will be executed with the permissions
++ of the owner of the site. This option only affects force and paranoid mode.
++ This option is enabled by default.
+
+ 3. Handlers
+
+diff -ur suphp-0.6.1/doc/suphp.conf-example suphp-0.6.1-userdir/doc/suphp.conf-example
+--- suphp-0.6.1/doc/suphp.conf-example 2005-11-26 14:45:49.000000000 -0500
++++ suphp-0.6.1-userdir/doc/suphp.conf-example 2005-12-02 15:07:41.000000000 -0500
+@@ -38,6 +38,8 @@
+ ; Minimum GID
+ min_gid=100
+
++; Use correct permissions for mod_userdir sites
++handle_userdir=true
+
+ [handlers]
+ ;Handler for php-scripts
+diff -ur suphp-0.6.1/src/Application.cpp suphp-0.6.1-userdir/src/Application.cpp
+--- suphp-0.6.1/src/Application.cpp 2005-11-26 14:45:49.000000000 -0500
++++ suphp-0.6.1-userdir/src/Application.cpp 2005-12-02 17:18:27.000000000 -0500
+@@ -19,6 +19,7 @@
+ */
+
+ #include <iostream>
++#include <sstream>
+
+ #include "config.h"
+
+@@ -300,29 +301,33 @@
+ // Paranoid and force mode
+
+ #if (defined(OPT_USERGROUP_PARANOID) || defined(OPT_USERGROUP_FORCE))
+- std::string targetUsername, targetGroupname;
+- try {
+- targetUsername = environment.getVar("SUPHP_USER");
+- targetGroupname = environment.getVar("SUPHP_GROUP");
+- } catch (KeyNotFoundException& e) {
+- throw SecurityException(
++ if (config.getHandleUserdir() && checkUserDir(environment.getVar("SUPHP_URI"),targetUser)) {
++ targetGroup = targetUser.getGroupInfo();
++ } else {
++ std::string targetUsername, targetGroupname;
++ try {
++ targetUsername = environment.getVar("SUPHP_USER");
++ targetGroupname = environment.getVar("SUPHP_GROUP");
++ } catch (KeyNotFoundException& e) {
++ throw SecurityException(
+ "Environment variable SUPHP_USER or SUPHP_GROUP not set",
+ __FILE__, __LINE__);
+- }
++ }
+
+- if (targetUsername[0] == '#' && targetUsername.find_first_not_of(
++ if (targetUsername[0] == '#' && targetUsername.find_first_not_of(
+ "0123456789", 1) == std::string::npos) {
+- targetUser = api.getUserInfo(Util::strToInt(targetUsername.substr(1)));
+- } else {
+- targetUser = api.getUserInfo(targetUsername);
+- }
++ targetUser = api.getUserInfo(Util::strToInt(targetUsername.substr(1)));
++ } else {
++ targetUser = api.getUserInfo(targetUsername);
++ }
+
+- if (targetGroupname[0] == '#' && targetGroupname.find_first_not_of(
++ if (targetGroupname[0] == '#' && targetGroupname.find_first_not_of(
+ "0123456789", 1) == std::string::npos) {
+- targetGroup = api.getGroupInfo(
++ targetGroup = api.getGroupInfo(
+ Util::strToInt(targetGroupname.substr(1)));
+- } else {
+- targetGroup = api.getGroupInfo(targetGroupname);
++ } else {
++ targetGroup = api.getGroupInfo(targetGroupname);
++ }
+ }
+ #endif // OPT_USERGROUP_PARANOID || OPT_USERGROUP_FORCE
+
+@@ -473,6 +478,28 @@
+ }
+ }
+
++bool suPHP::Application::checkUserDir(const std::string& url, UserInfo& user) const {
++
++ if (url.length() <= 2 || url[1] != '~')
++ return false;
++
++ API& api = API_Helper::getSystemAPI();
++ std::string topDir;
++ std::istringstream strm(url);
++
++ for (int i = 0; i < 2; i++)
++ if (!std::getline(strm, topDir, '/'))
++ return false;
++
++ std::string userName = topDir.substr(1,topDir.length());
++
++ try {
++ user = api.getUserInfo(userName);
++ return true;
++ } catch (LookupException& e) {
++ return false;
++ }
++}
+
+ int main(int argc, char **argv) {
+ try {
+diff -ur suphp-0.6.1/src/Application.hpp suphp-0.6.1-userdir/src/Application.hpp
+--- suphp-0.6.1/src/Application.hpp 2005-11-26 14:45:49.000000000 -0500
++++ suphp-0.6.1-userdir/src/Application.hpp 2005-12-02 15:07:41.000000000 -0500
+@@ -39,6 +39,7 @@
+ #include "SystemException.hpp"
+ #include "SoftException.hpp"
+ #include "SecurityException.hpp"
++#include "UserInfo.hpp"
+
+ namespace suPHP {
+ /**
+@@ -107,6 +108,12 @@
+ const Configuration& config) const
+ throw (SoftException);
+
++ /**
++ * Checks if a given URL is a userdir
++ * associated user is assigned to the user parameter
++ */
++ bool checkUserDir(const std::string& url,
++ UserInfo& user) const;
+
+ public:
+ /**
+diff -ur suphp-0.6.1/src/Configuration.cpp suphp-0.6.1-userdir/src/Configuration.cpp
+--- suphp-0.6.1/src/Configuration.cpp 2005-11-26 14:45:49.000000000 -0500
++++ suphp-0.6.1-userdir/src/Configuration.cpp 2005-12-02 17:22:46.000000000 -0500
+@@ -112,6 +112,7 @@
+ #endif
+ this->umask = 0077;
+ this->chroot_path = "";
++ this->handle_userdir = true;
+ }
+
+ void suPHP::Configuration::readFromFile(File& file)
+@@ -157,6 +158,8 @@
+ this->umask = Util::octalStrToInt(value);
+ else if (key == "chroot")
+ this->chroot_path = value;
++ else if (key == "handle_userdir")
++ this->handle_userdir = this->strToBool(value);
+ else
+ throw ParsingException("Unknown option \"" + key +
+ "\" in section [global]",
+@@ -250,3 +253,7 @@
+ std::string suPHP::Configuration::getChrootPath() const {
+ return this->chroot_path;
+ }
++
++bool suPHP::Configuration::getHandleUserdir() const {
++ return this->handle_userdir;
++}
+diff -ur suphp-0.6.1/src/Configuration.hpp suphp-0.6.1-userdir/src/Configuration.hpp
+--- suphp-0.6.1/src/Configuration.hpp 2005-11-26 14:45:49.000000000 -0500
++++ suphp-0.6.1-userdir/src/Configuration.hpp 2005-12-02 15:07:41.000000000 -0500
+@@ -57,7 +57,8 @@
+ int min_gid;
+ int umask;
+ std::string chroot_path;
+-
++ bool handle_userdir;
++
+ /**
+ * Converts string to bool
+ */
+@@ -165,6 +166,12 @@
+ * Return chroot path
+ */
+ std::string getChrootPath() const;
++
++ /**
++ * Return whether to correctly handle mod_userdir sites
++ */
++ bool getHandleUserdir() const;
++
+ };
+ };
+
+diff -ur suphp-0.6.1/src/apache/mod_suphp.c suphp-0.6.1-userdir/src/apache/mod_suphp.c
+--- suphp-0.6.1/src/apache/mod_suphp.c 2005-11-26 14:45:49.000000000 -0500
++++ suphp-0.6.1-userdir/src/apache/mod_suphp.c 2005-12-02 15:07:41.000000000 -0500
+@@ -444,7 +444,10 @@
+ }
+ }
+ }
+-
++
++ /* for mod_userdir checking */
++ apr_table_setn(r->subprocess_env, "SUPHP_URI", apr_pstrdup(p, r->uri));
++
+ if (auth_user && auth_pass) {
+ ap_table_setn(r->subprocess_env, "SUPHP_AUTH_USER", auth_user);
+ ap_table_setn(r->subprocess_env, "SUPHP_AUTH_PW", auth_pass);
+diff -ur suphp-0.6.1/src/apache2/mod_suphp.c suphp-0.6.1-userdir/src/apache2/mod_suphp.c
+--- suphp-0.6.1/src/apache2/mod_suphp.c 2005-11-26 14:45:49.000000000 -0500
++++ suphp-0.6.1-userdir/src/apache2/mod_suphp.c 2005-12-02 15:07:41.000000000 -0500
+@@ -461,6 +461,10 @@
+ }
+ }
+
++ /* for mod_userdir checking */
++ apr_table_setn(r->subprocess_env, "SUPHP_URI",
++ apr_pstrdup(r->pool, r->uri));
++
+ if (auth_user && auth_pass)
+ {
+ apr_table_setn(r->subprocess_env, "SUPHP_AUTH_USER", auth_user);