From fb8fbec98079cce7f639641bf729272b3fb125c2 Mon Sep 17 00:00:00 2001 From: Nishi Date: Thu, 19 Sep 2024 07:44:13 +0000 Subject: [PATCH] security fix: heck path later git-svn-id: file:///raid/svn-personal/tewi/trunk@69 8739d7e6-ffea-ec47-b151-bdff447c6205 --- Server/http.c | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/Server/http.c b/Server/http.c index 979d090..fbbbf8d 100644 --- a/Server/http.c +++ b/Server/http.c @@ -297,5 +297,44 @@ getout: } free(req->path); req->path = result; + + int incr = 0; + char* p = malloc(1); + p[0] = 0; + int j; + for(j = 0;; j++) { + if(req->path[j] == '/' || req->path[j] == 0) { + char oldc = req->path[j]; + cbuf[0] = oldc; + req->path[j] = 0; + + char* pth = req->path + incr; + + if(strcmp(pth, "..") == 0) { + int k; + if(p[strlen(p) - 1] == '/') p[strlen(p) - 1] = 0; + for(k = strlen(p) - 1; k >= 0; k--) { + if(p[k] == '/') { + p[k + 1] = 0; + break; + } + } + if(strlen(p) == 0) { + free(p); + p = cm_strdup("/"); + } + } else if(strcmp(pth, ".") == 0) { + } else if(oldc != '\\') { + char* tmp = p; + p = cm_strcat3(tmp, pth, cbuf); + free(tmp); + } + + incr = j + 1; + if(oldc == 0) break; + } + } + free(req->path); + req->path = p; return 0; } -- 2.43.0