clone: fix directory traversal

This was introduced in the initial version of this code, way back when
in 2008.

$ curl http://127.0.0.1/cgit/repo/objects/?path=../../../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/sh
...

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reported-by: Jann Horn <jannh@google.com>

diff --git a/ui-clone.c b/ui-clone.c
index 2c1ac3daa8e827f49afc2f369a18456867f153b9..6ba8f361e6ae63bf13de716a16957c3bbe73f58a 100644 (file)
--- a/ui-clone.c
+++ b/ui-clone.c
@@ -92,17 +92,32 @@ void cgit_clone_info(void)
 
 void cgit_clone_objects(void)
 {
-       if (!ctx.qry.path) {
-               cgit_print_error_page(400, "Bad request", "Bad request");
-               return;
-       }
+       char *p;
+
+       if (!ctx.qry.path)
+               goto err;
 
        if (!strcmp(ctx.qry.path, "info/packs")) {
                print_pack_info();
                return;
        }
 
+       /* Avoid directory traversal by forbidding "..", but also work around
+        * other funny business by just specifying a fairly strict format. For
+        * example, now we don't have to stress out about the Cygwin port.
+        */
+       for (p = ctx.qry.path; *p; ++p) {
+               if (*p == '.' && *(p + 1) == '.')
+                       goto err;
+               if (!isalnum(*p) && *p != '/' && *p != '.' && *p != '-')
+                       goto err;
+       }
+
        send_file(git_path("objects/%s", ctx.qry.path));
+       return;
+
+err:
+       cgit_print_error_page(400, "Bad request", "Bad request");
 }
 
 void cgit_clone_head(void)