Bug 40749 - magic file with string and "%n" causes Apache child to crash
Summary: magic file with string and "%n" causes Apache child to crash
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_mime_magic (show other bugs)
Version: 2.5-HEAD
Hardware: PC Linux
: P2 minor (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Keywords: PatchAvailable
Depends on:
Reported: 2006-10-12 16:41 UTC by Ulf Harnhammar
Modified: 2018-02-25 21:12 UTC (History)
0 users

validate the mime magic file correctly (1.03 KB, patch)
2008-07-30 10:29 UTC, rahul
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ulf Harnhammar 2006-10-12 16:41:29 UTC

I have discovered a minor bug in mod_mime_magic. If an entry in the magic file
has the type "string" and a mime type containing "%n", and you try to fetch a
file with Apache that matches that entry, the Apache child will crash with a
segmentation fault.

I suppose that the reason why the code supports format strings in the desc
variable is so you can use "%d" or "%s" and include data from the file you are
trying to determine the type of in the output, but does anyone use this
functionality with Apache? If they do, is it necessary to support the full
format string functionality with things like "%n" and "%x", or is it enough to
simulate a subset of it (say, only "%s" and "%d")?

Below is a session that shows off this problem by downloading a SID file,
changing the magic file entry for SID files, and then crashing the Apache child
by fetching the file.

// Ulf Harnhammar

$ cd htdocs
$ wget http://hafnium.prg.dtu.dk/HVSC/C64Music/Galway_Martin/Yie_Ar_Kung_Fu.sid
           => `Yie_Ar_Kung_Fu.sid'
Resolving hafnium.prg.dtu.dk...
Connecting to hafnium.prg.dtu.dk||:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7,934 (7.7K) [audio/prs.sid]

7,934         --.--K/s

01:04:01 (190.93 KB/s) - `Yie_Ar_Kung_Fu.sid' saved [7934/7934]

$ mv Yie_Ar_Kung_Fu.sid yiear.kungfu
$ cd ..
$ bin/httpd
$ nc localhost 1337
HEAD /yiear.kungfu HTTP/1.0

HTTP/1.1 200 OK
Date: Thu, 12 Oct 2006 23:05:01 GMT
Server: Apache/2.0.59 (Unix)
Last-Modified: Sat, 17 Aug 2002 23:55:45 GMT
ETag: "c46e-1efe-13ace240"
Accept-Ranges: bytes
Content-Length: 7934
Connection: close
Content-Type: audio/prs.sid

$ cd conf
$ fgrep prs.sid magic
0   string      PSID        audio/prs.sid
$ sed -e 's/prs\.sid/%n%n%n%n/' magic > magic2
$ mv magic2 magic
$ fgrep '%n%n' magic
0   string      PSID        audio/%n%n%n%n
$ ps ax | fgrep httpd
14354 ?        Ss     0:00 bin/httpd
14355 ?        S      0:00 bin/httpd
14356 ?        S      0:00 bin/httpd
14357 ?        S      0:00 bin/httpd
14358 ?        S      0:00 bin/httpd
14359 ?        S      0:00 bin/httpd
14361 ?        S      0:00 bin/httpd
14378 pts/0    R+     0:00 grep -F httpd
$ kill -HUP 14354
$ cd ..
$ nc localhost 1337
HEAD /yiear.kungfu HTTP/1.0

$ cd logs
$ cat access_log - - [13/Oct/2006:01:05:01 +0200] "HEAD /yiear.kungfu HTTP/1.0" 200 -
$ cat error_log
[Fri Oct 13 01:04:46 2006] [notice] Apache/2.0.59 (Unix) configured -- resuming
normal operations
[Fri Oct 13 01:05:58 2006] [notice] SIGHUP received.  Attempting to restart
[Fri Oct 13 01:05:58 2006] [notice] Apache/2.0.59 (Unix) configured -- resuming
normal operations
[Fri Oct 13 01:06:17 2006] [notice] child pid 14379 exit signal Segmentation
fault (11)
Comment 1 rahul 2008-07-30 10:29:10 UTC
Created attachment 22332 [details]
validate the mime magic file correctly

Since the only use for place holders (%xx) in desc is to allow a string from the file to be used, it cannot have more than one %xx. This can be checked during the read config time itself.
Comment 2 Rainer Jung 2018-02-25 21:12:48 UTC
Undo spam change