Fix directory traversal bug

This commit is contained in:
Neale Pickett 2013-02-11 10:59:16 -07:00
parent 25600693cc
commit 90660eae48
3 changed files with 639 additions and 629 deletions

221
CHANGES
View File

@ -1,136 +1,139 @@
4.0:
Fix directory traversal vulnerability (fuzzie)
3.1: 3.1:
Add -. flag to disable vhosting Add -. flag to disable vhosting
Support server push CGI Support server push CGI
Handle busybox tcpsvd Handle busybox tcpsvd
Changed formatting of directory indexing Changed formatting of directory indexing
Handle read timeout Handle read timeout
Fix if-modified-since bug with keepalive connections Fix if-modified-since bug with keepalive connections
Change to CGI's directory on exec Change to CGI's directory on exec
3.0: 3.0:
More or less a ground-up rewrite. A few fnord parts remain More or less a ground-up rewrite. A few fnord parts remain
here and there. here and there.
2.0: 2.0:
Replace poll with select, which is more portable and may be Replace poll with select, which is more portable and may be
slightly faster; however, it's only called for CGI and by slightly faster; however, it's only called for CGI and by
that point you've lost quite a bit in terms of speed that point you've lost quite a bit in terms of speed
Remove Accept header parsing: it was broken and the result was Remove Accept header parsing: it was broken and the result was
that the Accept header had no effect that the Accept header had no effect
Remove the .gz trick: I never used it, but I would not be averse Remove the .gz trick: I never used it, but I would not be averse
to adding it back if people liked it to adding it back if people liked it
Rename to "eris httpd" to acknowledge fork Rename to "eris httpd" to acknowledge fork
Add regression test suite Add regression test suite
Replace compile-time options with command-line ones Replace compile-time options with command-line ones
Fix segfault with directory listing of / Fix segfault with directory listing of /
Replace buffer_1 and buffer_2 with stdio Replace buffer_1 and buffer_2 with stdio
Replace libowfat with libc Replace libowfat with libc
Add all patches from (defunct) Debian package Add all patches from (defunct) Debian package
Fix if-modified-since date parsing Fix if-modified-since date parsing
Make text content-types use charset=UTF-8 Make text content-types use charset=UTF-8
Change default content-type to application/octet-stream Change default content-type to application/octet-stream
Makefile no longer overrides CC and CPP from parent makes Makefile no longer overrides CC and CPP from parent makes
Don't send Content-type if there's no content Don't send Content-type if there's no content
New maintainer: Neale Pickett <neale@woozle.org> New maintainer: Neale Pickett <neale@woozle.org>
1.10: 1.10:
have fallback in case sendfile fails have fallback in case sendfile fails
1.9: 1.9:
chdir to cgi's base dir (Kuba Winnicki) chdir to cgi's base dir (Kuba Winnicki)
set HTTP_ACCEPT_ENCODING environment variable (Kuba Winnicki) set HTTP_ACCEPT_ENCODING environment variable (Kuba Winnicki)
We actually should export all HTTP headers as HTTP_[header] We actually should export all HTTP headers as HTTP_[header]
Any takers? Any takers?
Try not to send error message HTTP headers if we already sent the Try not to send error message HTTP headers if we already sent the
headers from the CGI (Kuba Winnicki) headers from the CGI (Kuba Winnicki)
<ims -> <=ims (Gerrit Pape) <ims -> <=ims (Gerrit Pape)
64-bit file I/O cleanliness 64-bit file I/O cleanliness
fix HTTP ranges (Joachim Berdal Haga via Gerrit Pape) fix HTTP ranges (Joachim Berdal Haga via Gerrit Pape)
1.8: 1.8:
keep current environment in CGI (Laurent Bercot) keep current environment in CGI (Laurent Bercot)
make fnord-conf use the UID and not the user name (Fridtjof Busse) make fnord-conf use the UID and not the user name (Fridtjof Busse)
fix typo in buffer_putulonglong (Gerrit Pape) fix typo in buffer_putulonglong (Gerrit Pape)
fix CGI POST off-by-two typo (Mark Hopf) fix CGI POST off-by-two typo (Mark Hopf)
fix gif->png conversion (Thomas Seck) fix gif->png conversion (Thomas Seck)
remove == bashism from fnord-conf (Thomas Seck) remove == bashism from fnord-conf (Thomas Seck)
add bittorrent mime type add bittorrent mime type
make authorization data available to CGIs for GET, too (Paul Jarc) make authorization data available to CGIs for GET, too (Paul Jarc)
fix conversion of host name to lower case (Gerrit Pape) fix conversion of host name to lower case (Gerrit Pape)
add small test cgi: cgi-post.c add small test cgi: cgi-post.c
fix CGI POST bug (Moe Wibble) fix CGI POST bug (Moe Wibble)
fix CGI PATH_TRANSLATED bug (Nicolas George) fix CGI PATH_TRANSLATED bug (Nicolas George)
add optional authentication support (Nicolas George, see README.auth) add optional authentication support (Nicolas George, see README.auth)
make sure error messages are text/html make sure error messages are text/html
move /. -> /: conversion before demangling so it can actually be move /. -> /: conversion before demangling so it can actually be
used as security measure for installations that don't use chroot used as security measure for installations that don't use chroot
1.7: 1.7:
add .mov and .qt for quicktime, .mpg for video/mpeg and .wav for audio/x-wav add .mov and .qt for quicktime, .mpg for video/mpeg and .wav for audio/x-wav
add mmap based file serving (should do zero-copy tcp just like sendfile) add mmap based file serving (should do zero-copy tcp just like sendfile)
add Pragma: no-cache to CGI responses add Pragma: no-cache to CGI responses
fix (apparently not exploitable) buffer overrun in do_cgi fix (apparently not exploitable) buffer overrun in do_cgi
This bug was found by Ralf Wildenhues. To my knowledge it is This bug was found by Ralf Wildenhues. To my knowledge it is
impossible to exploit this bug on any platform known to me. impossible to exploit this bug on any platform known to me.
fix (harmless) access to uninitialized data fix (harmless) access to uninitialized data
1.6: 1.6:
add support for $PATH_INFO in CGI environment. add support for $PATH_INFO in CGI environment.
add .pac for netscape proxy autoconfig add .pac for netscape proxy autoconfig
add .sig for application/pgp-signature add .sig for application/pgp-signature
1.5: 1.5:
fix write timeout handling (found by Lukas Beeler) fix write timeout handling (found by Lukas Beeler)
fix fnord-conf to use the symbolic account name in run script fix fnord-conf to use the symbolic account name in run script
(Sebastian D.B. Krause) (Sebastian D.B. Krause)
1.4: 1.4:
add dangling symlink based whole-host redirection (see README). This add dangling symlink based whole-host redirection (see README). This
has the advantage that it can serve normal sites and redirect sites has the advantage that it can serve normal sites and redirect sites
on the same IP. on the same IP.
add support for non-TCP UCSPI environments (like ucspi-ssl). Please add support for non-TCP UCSPI environments (like ucspi-ssl). Please
get the latest version of my ucspi-tcp IPv6 patch as I violated the get the latest version of my ucspi-tcp IPv6 patch as I violated the
UCSPI spec with all versions before 0.88-diff11. UCSPI spec with all versions before 0.88-diff11.
change logging from "127.0.0.1 200 23 Links_(0.96;_Unix) none /index.html" change logging from "127.0.0.1 200 23 Links_(0.96;_Unix) none /index.html"
to "127.0.0.1 200 23 localhost Links_(0.96;_Unix) none /index.html" to "127.0.0.1 200 23 localhost Links_(0.96;_Unix) none /index.html"
(i.e. include the Host: header). Suggested by Thomas Bader. (i.e. include the Host: header). Suggested by Thomas Bader.
add "immediate mode". If you give fnord a command line argument, it add "immediate mode". If you give fnord a command line argument, it
will change to that directory and if no "default" directory is will change to that directory and if no "default" directory is
given, it will assume there are no virtual hosts and serve from the given, it will assume there are no virtual hosts and serve from the
current directory. I have a shell script called "http" that does current directory. I have a shell script called "http" that does
tcpserver -RHl localhost 0 8000 /home/leitner/bin/fnord-idx . tcpserver -RHl localhost 0 8000 /home/leitner/bin/fnord-idx .
to share some directory on my hard drive with some poor Windows to share some directory on my hard drive with some poor Windows
users without npoll (http://www.fefe.de/ncp/). fnord-idx is a new users without npoll (http://www.fefe.de/ncp/). fnord-idx is a new
target (a fnord with DIR_LIST) that is auto-built by make. target (a fnord with DIR_LIST) that is auto-built by make.
1.3: 1.3:
make directory listings use non-proportional fonts (thanks, Antonio Dias) make directory listings use non-proportional fonts (thanks, Antonio Dias)
fnord will now optionally (default: enabled) normalize the incoming fnord will now optionally (default: enabled) normalize the incoming
host name, i.e. "www.domain.com" -> "www.domain.com:80". That host name, i.e. "www.domain.com" -> "www.domain.com:80". That
should cut down on the number of symbolic links. ;) should cut down on the number of symbolic links. ;)
remove timeout error message. fnord will not drop the connection remove timeout error message. fnord will not drop the connection
without error message. Mozilla used to display the error message without error message. Mozilla used to display the error message
when the user caused another request on the connection with the when the user caused another request on the connection with the
timeout. timeout.
Uwe Ohse found two more compilation problems. Uwe Ohse found two more compilation problems.
1.2: 1.2:
Olaf: I changed my initial CGI-interface to NOT use the filesystem but Olaf: I changed my initial CGI-interface to NOT use the filesystem but
two pipes. two pipes.
Add whole-host redirect (see README) Add whole-host redirect (see README)
Olaf: added direcory-lists and "index.cgi" support (normal CGI only ! Olaf: added direcory-lists and "index.cgi" support (normal CGI only !
"nph-index.cgi" is not supported). Fixed some problematic parts in the "nph-index.cgi" is not supported). Fixed some problematic parts in the
CGI-interface (\n -> \r\n converter for http-header and CGI crash CGI-interface (\n -> \r\n converter for http-header and CGI crash
handling) handling)
Fix gzip encoding bug that only happened with keep-alive Fix gzip encoding bug that only happened with keep-alive
1.1: 1.1:
ship with the parts from libowfat that we actually use ship with the parts from libowfat that we actually use
minor speed-up. sendfile is a drag for very small files, so those are minor speed-up. sendfile is a drag for very small files, so those are
now sent through the same buffer the header is sent through. That now sent through the same buffer the header is sent through. That
sends the whole answer in one TCP packet if you are lucky, even sends the whole answer in one TCP packet if you are lucky, even
without the TCP_CORK magic from Linux. Major speed-up for without the TCP_CORK magic from Linux. Major speed-up for
benchmarks ;) benchmarks ;)
1.0: 1.0:
initial release initial release

1041
eris.c

File diff suppressed because it is too large Load Diff

View File

@ -149,6 +149,12 @@ title "Too many headers"
printf 'Header: val\r\n' printf 'Header: val\r\n'
done done
printf '\r\n') | $HTTPD 2>/dev/null | grep -q 'HTTP/1.. 431 ' && pass || fail printf '\r\n') | $HTTPD 2>/dev/null | grep -q 'HTTP/1.. 431 ' && pass || fail
title "Directory traversal"
printf 'GET /../default/index.html HTTP/1.0\r\n\r\n' | $HTTPD 2>/dev/null | grep -q 'HTTP/1.. 404' && pass || fail
title "Escaped directory traversal"
printf 'GET /%%2e%%2e/default/index.html HTTP/1.0\r\n\r\n' | $HTTPD 2>/dev/null | grep -q 'HTTP/1.. 404' && pass || fail
H "If-Modified-Since" H "If-Modified-Since"