Commit 3bd79c7c authored by Dinis Rosário's avatar Dinis Rosário Committed by Marko Mikulicic

Fix remove_double_dots_and_double_slashes removing all the dots leading http…

Fix remove_double_dots_and_double_slashes removing all the dots leading http server to serve wrong URI

If the uri is something like '/js/...jquery.js', remove_double_dots_and_double_slashes will remove the 3 dots and the http server will serves the /js/jquery.js file.
remove_double_dots_and_double_slashes should check if a dot or double dots is followed by a slash (or backslash) and only remove this to avoid disclosure attack.
parent c52e0744
...@@ -2430,7 +2430,9 @@ static void remove_double_dots_and_double_slashes(char *s) { ...@@ -2430,7 +2430,9 @@ static void remove_double_dots_and_double_slashes(char *s) {
// Skip all following slashes, backslashes and double-dots // Skip all following slashes, backslashes and double-dots
while (s[0] != '\0') { while (s[0] != '\0') {
if (s[0] == '/' || s[0] == '\\') { s++; } if (s[0] == '/' || s[0] == '\\') { s++; }
else if (s[0] == '.' && s[1] == '.') { s += 2; } else if (s[0] == '.' && (s[1] == '/' || s[1] == '\\')) { s += 2; }
else if (s[0] == '.' && s[1] == '.' && s[2] == '\0') { s += 2; }
else if (s[0] == '.' && s[1] == '.' && (s[2] == '/' || s[2] == '\\')) { s += 3; }
else { break; } else { break; }
} }
} }
......
...@@ -198,17 +198,19 @@ static const char *test_match_prefix(void) { ...@@ -198,17 +198,19 @@ static const char *test_match_prefix(void) {
} }
static const char *test_remove_double_dots() { static const char *test_remove_double_dots() {
struct { char before[20], after[20]; } data[] = { struct { char before[30], after[30]; } data[] = {
{"////a", "/a"}, {"////a", "/a"},
{"/.....", "/."}, {"/.....", "/....."},
{"/......", "/"}, {"/......", "/......"},
{"...", "..."}, {"...", "..."},
{"/...///", "/./"}, {"/...///", "/.../"},
{"/a...///", "/a.../"}, {"/a...///", "/a.../"},
{"/.x", "/.x"}, {"/.x", "/.x"},
{"/\\", "/"}, {"/\\", "/"},
{"/a\\", "/a\\"}, {"/a\\", "/a\\"},
{"/a\\\\...", "/a\\."}, {"/a\\\\...", "/a\\..."},
{"foo/x..y/././y/../../..", "foo/x..y/y/"},
{"foo/..x", "foo/..x"},
}; };
size_t i; size_t i;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment