diff options
author | Matt Caswell <matt@openssl.org> | 2019-10-18 16:40:44 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2019-10-28 13:11:15 +0000 |
commit | 0a4d6c67480a4d2fce514e08d3efe571f2ee99c9 (patch) | |
tree | e67043137d9872989cdf21ce65f68f803d6f1e0e /apps/s_server.c | |
parent | c549cb46e0d3cb4e611acafae5f919b4a8df4007 (diff) | |
download | openssl-0a4d6c67480a4d2fce514e08d3efe571f2ee99c9.tar.gz |
Fix an s_server arbitrary file read issue on Windows
Running s_server in WWW mode on Windows can allow a client to read files
outside the s_server directory by including backslashes in the name, e.g.
GET /..\myfile.txt HTTP/1.0
There exists a check for this for Unix paths but it is not sufficient
for Windows.
Since s_server is a test tool no CVE is assigned.
Thanks to Jobert Abma for reporting this.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10215)
Diffstat (limited to 'apps/s_server.c')
-rw-r--r-- | apps/s_server.c | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/apps/s_server.c b/apps/s_server.c index 0380468080..5f58ef68fe 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -3211,6 +3211,12 @@ static int www_body(int s, int stype, int prot, unsigned char *context) if (e[0] == ' ') break; + if (e[0] == ':') { + /* Windows drive. We treat this the same way as ".." */ + dot = -1; + break; + } + switch (dot) { case 1: dot = (e[0] == '.') ? 2 : 0; @@ -3219,11 +3225,11 @@ static int www_body(int s, int stype, int prot, unsigned char *context) dot = (e[0] == '.') ? 3 : 0; break; case 3: - dot = (e[0] == '/') ? -1 : 0; + dot = (e[0] == '/' || e[0] == '\\') ? -1 : 0; break; } if (dot == 0) - dot = (e[0] == '/') ? 1 : 0; + dot = (e[0] == '/' || e[0] == '\\') ? 1 : 0; } dot = (dot == 3) || (dot == -1); /* filename contains ".." * component */ @@ -3237,11 +3243,11 @@ static int www_body(int s, int stype, int prot, unsigned char *context) if (dot) { BIO_puts(io, text); - BIO_printf(io, "'%s' contains '..' reference\r\n", p); + BIO_printf(io, "'%s' contains '..' or ':'\r\n", p); break; } - if (*p == '/') { + if (*p == '/' || *p == '\\') { BIO_puts(io, text); BIO_printf(io, "'%s' is an invalid path\r\n", p); break; |