|
 |
daae2c |
From feccde6a9f0d0d1abbe2fdf32faf8c81aa8bb4c7 Mon Sep 17 00:00:00 2001
|
|
|
daae2c |
From: Stef Walter <stefw@redhat.com>
|
|
|
daae2c |
Date: Sun, 9 Sep 2018 11:05:05 +0200
|
|
|
daae2c |
Subject: [PATCH 2/2] src: Deny using %2F when serving file paths
|
|
|
daae2c |
|
|
|
daae2c |
The two invalid characters in Unix file names are zero and /.
|
|
|
daae2c |
Deny using this in an encoded form, since it bypasses how paths
|
|
|
daae2c |
are broken apart in HTTP URLs.
|
|
|
daae2c |
|
|
|
daae2c |
Closes #10028
|
|
|
daae2c |
---
|
|
|
daae2c |
src/common/cockpitwebresponse.c | 2 +-
|
|
|
daae2c |
src/common/test-webresponse.c | 18 ++++++++++++++++++
|
|
|
daae2c |
2 files changed, 19 insertions(+), 1 deletion(-)
|
|
|
daae2c |
|
|
|
daae2c |
diff --git a/src/common/cockpitwebresponse.c b/src/common/cockpitwebresponse.c
|
|
|
daae2c |
index d156bc319..0e757f345 100644
|
|
|
daae2c |
--- a/src/common/cockpitwebresponse.c
|
|
|
daae2c |
+++ b/src/common/cockpitwebresponse.c
|
|
|
daae2c |
@@ -1299,7 +1299,7 @@ web_response_file (CockpitWebResponse *response,
|
|
|
daae2c |
g_return_if_fail (escaped != NULL);
|
|
|
daae2c |
|
|
|
daae2c |
/* Someone is trying to escape the root directory, or access hidden files? */
|
|
|
daae2c |
- unescaped = g_uri_unescape_string (escaped, NULL);
|
|
|
daae2c |
+ unescaped = g_uri_unescape_string (escaped, "/");
|
|
|
daae2c |
if (!unescaped || strstr (unescaped, "/.") || strstr (unescaped, "../") || strstr (unescaped, "//"))
|
|
|
daae2c |
{
|
|
|
daae2c |
g_debug ("%s: invalid path request", escaped);
|
|
|
daae2c |
diff --git a/src/common/test-webresponse.c b/src/common/test-webresponse.c
|
|
|
daae2c |
index 4ad72b967..ab59c13e5 100644
|
|
|
daae2c |
--- a/src/common/test-webresponse.c
|
|
|
daae2c |
+++ b/src/common/test-webresponse.c
|
|
|
daae2c |
@@ -309,6 +309,22 @@ test_file_encoding_denied (TestCase *tc,
|
|
|
daae2c |
free (root);
|
|
|
daae2c |
}
|
|
|
daae2c |
|
|
|
daae2c |
+static void
|
|
|
daae2c |
+test_file_slash_denied (TestCase *tc,
|
|
|
daae2c |
+ gconstpointer user_data)
|
|
|
daae2c |
+{
|
|
|
daae2c |
+ gchar *root = realpath ( SRCDIR "/src", NULL);
|
|
|
daae2c |
+ const gchar *roots[] = { root, NULL };
|
|
|
daae2c |
+ const gchar *breakout = "/common%2fMakefile-common.am";
|
|
|
daae2c |
+ gchar *check = g_build_filename (roots[0], "common", "Makefile-common.am", NULL);
|
|
|
daae2c |
+ g_assert (root);
|
|
|
daae2c |
+ g_assert (g_file_test (check, G_FILE_TEST_EXISTS));
|
|
|
daae2c |
+ g_free (check);
|
|
|
daae2c |
+ cockpit_web_response_file (tc->response, breakout, roots);
|
|
|
daae2c |
+ cockpit_assert_strmatch (output_as_string (tc), "HTTP/1.1 404*");
|
|
|
daae2c |
+ free (root);
|
|
|
daae2c |
+}
|
|
|
daae2c |
+
|
|
|
daae2c |
static void
|
|
|
daae2c |
test_file_breakout_non_existant (TestCase *tc,
|
|
|
daae2c |
gconstpointer user_data)
|
|
|
daae2c |
@@ -1440,6 +1456,8 @@ main (int argc,
|
|
|
daae2c |
setup, test_file_breakout_denied, teardown);
|
|
|
daae2c |
g_test_add ("/web-response/file/invalid-encoding-denied", TestCase, NULL,
|
|
|
daae2c |
setup, test_file_encoding_denied, teardown);
|
|
|
daae2c |
+ g_test_add ("/web-response/file/file-slash-denied", TestCase, NULL,
|
|
|
daae2c |
+ setup, test_file_slash_denied, teardown);
|
|
|
daae2c |
g_test_add ("/web-response/file/breakout-non-existant", TestCase, NULL,
|
|
|
daae2c |
setup, test_file_breakout_non_existant, teardown);
|
|
|
daae2c |
g_test_add ("/web-reponse/file/template", TestCase, &template_fixture,
|
|
|
daae2c |
--
|
|
|
daae2c |
2.17.1
|
|
|
daae2c |
|