Fix directory traversal bug

CHANGES

@@ -1,136 +1,139 @@
+4.0:
+	Fix directory traversal vulnerability (fuzzie)
+
 3.1:
-  Add -. flag to disable vhosting
-  Support server push CGI
-  Handle busybox tcpsvd
-  Changed formatting of directory indexing
-  Handle read timeout
-  Fix if-modified-since bug with keepalive connections
-  Change to CGI's directory on exec
+	Add -. flag to disable vhosting
+	Support server push CGI
+	Handle busybox tcpsvd
+	Changed formatting of directory indexing
+	Handle read timeout
+	Fix if-modified-since bug with keepalive connections
+	Change to CGI's directory on exec
 
 3.0:
-  More or less a ground-up rewrite.  A few fnord parts remain
-    here and there.
+	More or less a ground-up rewrite.	A few fnord parts remain
+		here and there.
 
 2.0:
-  Replace poll with select, which is more portable and may be
-    slightly faster; however, it's only called for CGI and by
-    that point you've lost quite a bit in terms of speed
-  Remove Accept header parsing: it was broken and the result was
-    that the Accept header had no effect
-  Remove the .gz trick: I never used it, but I would not be averse
-    to adding it back if people liked it
-  Rename to "eris httpd" to acknowledge fork
-  Add regression test suite
-  Replace compile-time options with command-line ones
-  Fix segfault with directory listing of /
-  Replace buffer_1 and buffer_2 with stdio
-  Replace libowfat with libc
-  Add all patches from (defunct) Debian package
-  Fix if-modified-since date parsing
-  Make text content-types use charset=UTF-8
-  Change default content-type to application/octet-stream
-  Makefile no longer overrides CC and CPP from parent makes
-  Don't send Content-type if there's no content
-  New maintainer: Neale Pickett <neale@woozle.org>
+	Replace poll with select, which is more portable and may be
+		slightly faster; however, it's only called for CGI and by
+		that point you've lost quite a bit in terms of speed
+	Remove Accept header parsing: it was broken and the result was
+		that the Accept header had no effect
+	Remove the .gz trick: I never used it, but I would not be averse
+		to adding it back if people liked it
+	Rename to "eris httpd" to acknowledge fork
+	Add regression test suite
+	Replace compile-time options with command-line ones
+	Fix segfault with directory listing of /
+	Replace buffer_1 and buffer_2 with stdio
+	Replace libowfat with libc
+	Add all patches from (defunct) Debian package
+	Fix if-modified-since date parsing
+	Make text content-types use charset=UTF-8
+	Change default content-type to application/octet-stream
+	Makefile no longer overrides CC and CPP from parent makes
+	Don't send Content-type if there's no content
+	New maintainer: Neale Pickett <neale@woozle.org>
 
 1.10:
-  have fallback in case sendfile fails
+	have fallback in case sendfile fails
 
 1.9:
-  chdir to cgi's base dir (Kuba Winnicki)
-  set HTTP_ACCEPT_ENCODING environment variable (Kuba Winnicki)
-    We actually should export all HTTP headers as HTTP_[header]
-    Any takers?
-  Try not to send error message HTTP headers if we already sent the
-    headers from the CGI (Kuba Winnicki)
-  <ims -> <=ims (Gerrit Pape)
-  64-bit file I/O cleanliness
-  fix HTTP ranges (Joachim Berdal Haga via Gerrit Pape)
+	chdir to cgi's base dir (Kuba Winnicki)
+	set HTTP_ACCEPT_ENCODING environment variable (Kuba Winnicki)
+		We actually should export all HTTP headers as HTTP_[header]
+		Any takers?
+	Try not to send error message HTTP headers if we already sent the
+		headers from the CGI (Kuba Winnicki)
+	<ims -> <=ims (Gerrit Pape)
+	64-bit file I/O cleanliness
+	fix HTTP ranges (Joachim Berdal Haga via Gerrit Pape)
 
 1.8:
-  keep current environment in CGI (Laurent Bercot)
-  make fnord-conf use the UID and not the user name (Fridtjof Busse)
-  fix typo in buffer_putulonglong (Gerrit Pape)
-  fix CGI POST off-by-two typo (Mark Hopf)
-  fix gif->png conversion (Thomas Seck)
-  remove == bashism from fnord-conf (Thomas Seck)
-  add bittorrent mime type
-  make authorization data available to CGIs for GET, too (Paul Jarc)
-  fix conversion of host name to lower case (Gerrit Pape)
-  add small test cgi: cgi-post.c
-  fix CGI POST bug (Moe Wibble)
-  fix CGI PATH_TRANSLATED bug (Nicolas George)
-  add optional authentication support (Nicolas George, see README.auth)
-  make sure error messages are text/html
-  move /. -> /: conversion before demangling so it can actually be
-    used as security measure for installations that don't use chroot
+	keep current environment in CGI (Laurent Bercot)
+	make fnord-conf use the UID and not the user name (Fridtjof Busse)
+	fix typo in buffer_putulonglong (Gerrit Pape)
+	fix CGI POST off-by-two typo (Mark Hopf)
+	fix gif->png conversion (Thomas Seck)
+	remove == bashism from fnord-conf (Thomas Seck)
+	add bittorrent mime type
+	make authorization data available to CGIs for GET, too (Paul Jarc)
+	fix conversion of host name to lower case (Gerrit Pape)
+	add small test cgi: cgi-post.c
+	fix CGI POST bug (Moe Wibble)
+	fix CGI PATH_TRANSLATED bug (Nicolas George)
+	add optional authentication support (Nicolas George, see README.auth)
+	make sure error messages are text/html
+	move /. -> /: conversion before demangling so it can actually be
+		used as security measure for installations that don't use chroot
 
 1.7:
-  add .mov and .qt for quicktime, .mpg for video/mpeg and .wav for audio/x-wav
-  add mmap based file serving (should do zero-copy tcp just like sendfile)
-  add Pragma: no-cache to CGI responses
-  fix (apparently not exploitable) buffer overrun in do_cgi
-    This bug was found by Ralf Wildenhues.  To my knowledge it is
-    impossible to exploit this bug on any platform known to me.
-  fix (harmless) access to uninitialized data
+	add .mov and .qt for quicktime, .mpg for video/mpeg and .wav for audio/x-wav
+	add mmap based file serving (should do zero-copy tcp just like sendfile)
+	add Pragma: no-cache to CGI responses
+	fix (apparently not exploitable) buffer overrun in do_cgi
+		This bug was found by Ralf Wildenhues.	To my knowledge it is
+		impossible to exploit this bug on any platform known to me.
+	fix (harmless) access to uninitialized data
 
 1.6:
-  add support for $PATH_INFO in CGI environment.
-  add .pac for netscape proxy autoconfig
-  add .sig for application/pgp-signature
+	add support for $PATH_INFO in CGI environment.
+	add .pac for netscape proxy autoconfig
+	add .sig for application/pgp-signature
 
 1.5:
-  fix write timeout handling (found by Lukas Beeler)
-  fix fnord-conf to use the symbolic account name in run script
-    (Sebastian D.B. Krause)
+	fix write timeout handling (found by Lukas Beeler)
+	fix fnord-conf to use the symbolic account name in run script
+		(Sebastian D.B. Krause)
 
 1.4:
-  add dangling symlink based whole-host redirection (see README).  This
-    has the advantage that it can serve normal sites and redirect sites
-    on the same IP.
-  add support for non-TCP UCSPI environments (like ucspi-ssl).  Please
-    get the latest version of my ucspi-tcp IPv6 patch as I violated the
-    UCSPI spec with all versions before 0.88-diff11.
-  change logging from "127.0.0.1 200 23 Links_(0.96;_Unix) none /index.html"
-    to "127.0.0.1 200 23 localhost Links_(0.96;_Unix) none /index.html"
-    (i.e. include the Host: header).  Suggested by Thomas Bader.
-  add "immediate mode".  If you give fnord a command line argument, it
-    will change to that directory and if no "default" directory is
-    given, it will assume there are no virtual hosts and serve from the
-    current directory.  I have a shell script called "http" that does
-      tcpserver -RHl localhost 0 8000 /home/leitner/bin/fnord-idx .
-    to share some directory on my hard drive with some poor Windows
-    users without npoll (http://www.fefe.de/ncp/).  fnord-idx is a new
-    target (a fnord with DIR_LIST) that is auto-built by make.
+	add dangling symlink based whole-host redirection (see README).	This
+		has the advantage that it can serve normal sites and redirect sites
+		on the same IP.
+	add support for non-TCP UCSPI environments (like ucspi-ssl).	Please
+		get the latest version of my ucspi-tcp IPv6 patch as I violated the
+		UCSPI spec with all versions before 0.88-diff11.
+	change logging from "127.0.0.1 200 23 Links_(0.96;_Unix) none /index.html"
+		to "127.0.0.1 200 23 localhost Links_(0.96;_Unix) none /index.html"
+		(i.e. include the Host: header).	Suggested by Thomas Bader.
+	add "immediate mode".	If you give fnord a command line argument, it
+		will change to that directory and if no "default" directory is
+		given, it will assume there are no virtual hosts and serve from the
+		current directory.	I have a shell script called "http" that does
+			tcpserver -RHl localhost 0 8000 /home/leitner/bin/fnord-idx .
+		to share some directory on my hard drive with some poor Windows
+		users without npoll (http://www.fefe.de/ncp/).	fnord-idx is a new
+		target (a fnord with DIR_LIST) that is auto-built by make.
 
 1.3:
-  make directory listings use non-proportional fonts (thanks, Antonio Dias)
-  fnord will now optionally (default: enabled) normalize the incoming
-    host name, i.e. "www.domain.com" -> "www.domain.com:80".  That
-    should cut down on the number of symbolic links. ;)
-  remove timeout error message.  fnord will not drop the connection
-    without error message.  Mozilla used to display the error message
-    when the user caused another request on the connection with the
-    timeout.
-  Uwe Ohse found two more compilation problems.
+	make directory listings use non-proportional fonts (thanks, Antonio Dias)
+	fnord will now optionally (default: enabled) normalize the incoming
+		host name, i.e. "www.domain.com" -> "www.domain.com:80".	That
+		should cut down on the number of symbolic links. ;)
+	remove timeout error message.	fnord will not drop the connection
+		without error message.	Mozilla used to display the error message
+		when the user caused another request on the connection with the
+		timeout.
+	Uwe Ohse found two more compilation problems.
 
 1.2:
-  Olaf: I changed my initial CGI-interface to NOT use the filesystem but
-    two pipes.
-  Add whole-host redirect (see README)
-  Olaf: added direcory-lists and "index.cgi" support (normal CGI only !
-    "nph-index.cgi" is not supported). Fixed some problematic parts in the
-    CGI-interface (\n -> \r\n converter for http-header and CGI crash
-    handling)
-  Fix gzip encoding bug that only happened with keep-alive
+	Olaf: I changed my initial CGI-interface to NOT use the filesystem but
+		two pipes.
+	Add whole-host redirect (see README)
+	Olaf: added direcory-lists and "index.cgi" support (normal CGI only !
+		"nph-index.cgi" is not supported). Fixed some problematic parts in the
+		CGI-interface (\n -> \r\n converter for http-header and CGI crash
+		handling)
+	Fix gzip encoding bug that only happened with keep-alive
 
 1.1:
-  ship with the parts from libowfat that we actually use
-  minor speed-up.  sendfile is a drag for very small files, so those are
-    now sent through the same buffer the header is sent through.  That
-    sends the whole answer in one TCP packet if you are lucky, even
-    without the TCP_CORK magic from Linux.  Major speed-up for
-    benchmarks ;)
+	ship with the parts from libowfat that we actually use
+	minor speed-up.	sendfile is a drag for very small files, so those are
+		now sent through the same buffer the header is sent through.	That
+		sends the whole answer in one TCP packet if you are lucky, even
+		without the TCP_CORK magic from Linux.	Major speed-up for
+		benchmarks ;)
 
 1.0:
-  initial release
+	initial release

test.sh

@@ -149,6 +149,12 @@ title "Too many headers"
      printf 'Header: val\r\n'
  done
  printf '\r\n') | $HTTPD 2>/dev/null | grep -q 'HTTP/1.. 431 ' && pass || fail
+ 
+ title "Directory traversal"
+ printf 'GET /../default/index.html HTTP/1.0\r\n\r\n' | $HTTPD 2>/dev/null | grep -q 'HTTP/1.. 404' && pass || fail
+ 
+ title "Escaped directory traversal"
+ printf 'GET /%%2e%%2e/default/index.html HTTP/1.0\r\n\r\n' | $HTTPD 2>/dev/null | grep -q 'HTTP/1.. 404' && pass || fail
 
 
 H "If-Modified-Since"