Fix directory traversal bug

This commit is contained in:
Neale Pickett 2013-02-11 10:59:16 -07:00
parent 25600693cc
commit 90660eae48
3 changed files with 639 additions and 629 deletions

View File

@ -1,3 +1,6 @@
4.0:
Fix directory traversal vulnerability (fuzzie)
3.1: 3.1:
Add -. flag to disable vhosting Add -. flag to disable vhosting
Support server push CGI Support server push CGI

11
eris.c
View File

@ -576,11 +576,6 @@ handle_request()
case '?': case '?':
query_string = p + 1; query_string = p + 1;
continue; continue;
case '.':
if (p[-1] == '/') {
c = ':';
}
break;
case '%': case '%':
if (p[1] && p[2]) { if (p[1] && p[2]) {
int a = fromhex(p[1]); int a = fromhex(p[1]);
@ -601,6 +596,12 @@ handle_request()
} }
*fsp = 0; *fsp = 0;
/* Change "/." to "/:" to keep "hidden" files such and prevent directory traversal */
while ((fsp = strstr(fspath, "/."))) {
*(fsp+1) = ':';
}
*(p++) = 0; /* NULL-terminate path */ *(p++) = 0; /* NULL-terminate path */
if (docgi && query_string) { if (docgi && query_string) {

View File

@ -150,6 +150,12 @@ title "Too many headers"
done done
printf '\r\n') | $HTTPD 2>/dev/null | grep -q 'HTTP/1.. 431 ' && pass || fail printf '\r\n') | $HTTPD 2>/dev/null | grep -q 'HTTP/1.. 431 ' && pass || fail
title "Directory traversal"
printf 'GET /../default/index.html HTTP/1.0\r\n\r\n' | $HTTPD 2>/dev/null | grep -q 'HTTP/1.. 404' && pass || fail
title "Escaped directory traversal"
printf 'GET /%%2e%%2e/default/index.html HTTP/1.0\r\n\r\n' | $HTTPD 2>/dev/null | grep -q 'HTTP/1.. 404' && pass || fail
H "If-Modified-Since" H "If-Modified-Since"