diff options
| author |   Ingo Schwarze <schwarze@openbsd.org> | 2014-07-19 11:35:12 +0000 |
|---|---|---|
| committer | Ingo Schwarze <schwarze@openbsd.org> | 2014-07-19 11:35:12 +0000 |
| commit | 52307465eda0160606943b97a728c54484b26fd7 (patch) | |
| tree | ddc206065fec999715195d40c22fe7c288de3e94 /cgi.c | |
| parent | 6d9b8bc9ac9935024b9c1b5d06d4f294d7fce3d1 (diff) | |
| download | mandoc-52307465eda0160606943b97a728c54484b26fd7.tar.gz mandoc-52307465eda0160606943b97a728c54484b26fd7.tar.zst mandoc-52307465eda0160606943b97a728c54484b26fd7.zip | |
Security fix:
Validate the name of the file to show before opening it.
Only allow relative filenames starting with "man" or "cat"
and containing neither "/.." nor "../".
While here, correct the condition discarding an initial "./".
Vulnerability found by Sebastien Marie <semarie-openbsd at latrappe dot fr>.
Many thanks for sending a patch; however, i did not use it but made the
checks even stricter.
Diffstat (limited to 'cgi.c')
| -rw-r--r-- | cgi.c | 31 |
1 files changed, 29 insertions, 2 deletions
@@ -1,4 +1,4 @@ -/* $Id: cgi.c,v 1.75 2014/07/18 19:03:39 schwarze Exp $ */ +/* $Id: cgi.c,v 1.76 2014/07/19 11:35:12 schwarze Exp $ */ /* * Copyright (c) 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv> * Copyright (c) 2014 Ingo Schwarze <schwarze@usta.de> @@ -466,6 +466,17 @@ resp_searchform(const struct req *req) puts("<!-- End search form. //-->"); } +static int +validate_filename(const char *file) +{ + + if ('.' == file[0] && '/' == file[1]) + file += 2; + + return ( ! (strstr(file, "../") || strstr(file, "/..") || + (strncmp(file, "man", 3) && strncmp(file, "cat", 3)))); +} + static void pg_index(const struct req *req) { @@ -523,6 +534,15 @@ pg_searchres(const struct req *req, struct manpage *r, size_t sz) int prio, priouse; char sec; + for (i = 0; i < sz; i++) { + if (validate_filename(r[i].file)) + continue; + fprintf(stderr, "invalid filename %s in %s database\n", + r[i].file, req->q.manpath); + pg_error_internal(); + return; + } + if (1 == sz) { /* * If we have just one result, then jump there now @@ -777,7 +797,8 @@ format(const struct req *req, const char *file) static void resp_show(const struct req *req, const char *file) { - if ('.' == file[0] || '/' == file[1]) + + if ('.' == file[0] && '/' == file[1]) file += 2; if ('c' == *file) @@ -810,6 +831,12 @@ pg_show(const struct req *req, const char *path) return; } + if ( ! validate_filename(sub)) { + pg_error_badrequest( + "You specified an invalid manual file."); + return; + } + resp_begin_html(200, NULL); resp_searchform(req); resp_show(req, sub); |