Hello, I have discovered a minor bug in mod_mime_magic. If an entry in the magic file has the type "string" and a mime type containing "%n", and you try to fetch a file with Apache that matches that entry, the Apache child will crash with a segmentation fault. I suppose that the reason why the code supports format strings in the desc variable is so you can use "%d" or "%s" and include data from the file you are trying to determine the type of in the output, but does anyone use this functionality with Apache? If they do, is it necessary to support the full format string functionality with things like "%n" and "%x", or is it enough to simulate a subset of it (say, only "%s" and "%d")? Below is a session that shows off this problem by downloading a SID file, changing the magic file entry for SID files, and then crashing the Apache child by fetching the file. // Ulf Harnhammar metaur@telia.com $ cd htdocs $ wget http://hafnium.prg.dtu.dk/HVSC/C64Music/Galway_Martin/Yie_Ar_Kung_Fu.sid --01:04:01-- http://hafnium.prg.dtu.dk/HVSC/C64Music/Galway_Martin/Yie_Ar_Kung_Fu.sid => `Yie_Ar_Kung_Fu.sid' Resolving hafnium.prg.dtu.dk... 130.225.91.226 Connecting to hafnium.prg.dtu.dk|130.225.91.226|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 7,934 (7.7K) [audio/prs.sid] 100%[=================================================================================================================>] 7,934 --.--K/s 01:04:01 (190.93 KB/s) - `Yie_Ar_Kung_Fu.sid' saved [7934/7934] $ mv Yie_Ar_Kung_Fu.sid yiear.kungfu $ cd .. $ bin/httpd $ nc localhost 1337 HEAD /yiear.kungfu HTTP/1.0 HTTP/1.1 200 OK Date: Thu, 12 Oct 2006 23:05:01 GMT Server: Apache/2.0.59 (Unix) Last-Modified: Sat, 17 Aug 2002 23:55:45 GMT ETag: "c46e-1efe-13ace240" Accept-Ranges: bytes Content-Length: 7934 Connection: close Content-Type: audio/prs.sid $ cd conf $ fgrep prs.sid magic 0 string PSID audio/prs.sid $ sed -e 's/prs\.sid/%n%n%n%n/' magic > magic2 $ mv magic2 magic $ fgrep '%n%n' magic 0 string PSID audio/%n%n%n%n $ ps ax | fgrep httpd 14354 ? Ss 0:00 bin/httpd 14355 ? S 0:00 bin/httpd 14356 ? S 0:00 bin/httpd 14357 ? S 0:00 bin/httpd 14358 ? S 0:00 bin/httpd 14359 ? S 0:00 bin/httpd 14361 ? S 0:00 bin/httpd 14378 pts/0 R+ 0:00 grep -F httpd $ kill -HUP 14354 $ cd .. $ nc localhost 1337 HEAD /yiear.kungfu HTTP/1.0 $ cd logs $ cat access_log 127.0.0.1 - - [13/Oct/2006:01:05:01 +0200] "HEAD /yiear.kungfu HTTP/1.0" 200 - $ cat error_log [Fri Oct 13 01:04:46 2006] [notice] Apache/2.0.59 (Unix) configured -- resuming normal operations [Fri Oct 13 01:05:58 2006] [notice] SIGHUP received. Attempting to restart [Fri Oct 13 01:05:58 2006] [notice] Apache/2.0.59 (Unix) configured -- resuming normal operations [Fri Oct 13 01:06:17 2006] [notice] child pid 14379 exit signal Segmentation fault (11) $
Created attachment 22332 [details] validate the mime magic file correctly Since the only use for place holders (%xx) in desc is to allow a string from the file to be used, it cannot have more than one %xx. This can be checked during the read config time itself.
Undo spam change