mirror of
https://github.com/cesanta/mongoose.git
synced 2025-07-23 21:56:16 +08:00
enhanced path sanitizing
This commit is contained in:
parent
4b0e34cdf4
commit
2f1a836bf0
@ -12,11 +12,13 @@ static void cb(struct mg_connection *c, int ev, void *ev_data, void *fn_data) {
|
||||
if (mg_http_match_uri(hm, "/upload")) {
|
||||
char path[80], name[64];
|
||||
mg_http_get_var(&hm->query, "name", name, sizeof(name));
|
||||
mg_snprintf(path, sizeof(path), "/tmp/%s", name);
|
||||
if (name[0] == '\0') {
|
||||
mg_http_reply(c, 400, "", "%s", "name required");
|
||||
} else if (!mg_path_is_sane(path)) {
|
||||
mg_http_reply(c, 400, "", "%s", "invalid path");
|
||||
} else {
|
||||
mg_snprintf(path, sizeof(path), "/tmp/%s", name);
|
||||
mg_http_upload(c, hm, &mg_fs_posix, mg_remove_double_dots(path), 99999);
|
||||
mg_http_upload(c, hm, &mg_fs_posix, path, 99999);
|
||||
}
|
||||
} else {
|
||||
struct mg_http_serve_opts opts = {.root_dir = "web_root"};
|
||||
|
42
mongoose.c
42
mongoose.c
@ -1842,6 +1842,7 @@ struct printdirentrydata {
|
||||
const char *dir;
|
||||
};
|
||||
|
||||
#if MG_ENABLE_DIRLIST
|
||||
static void printdirentry(const char *name, void *userdata) {
|
||||
struct printdirentrydata *d = (struct printdirentrydata *) userdata;
|
||||
struct mg_fs *fs = d->opts->fs == NULL ? &mg_fs_posix : d->opts->fs;
|
||||
@ -1948,6 +1949,7 @@ static void listdir(struct mg_connection *c, struct mg_http_message *hm,
|
||||
memcpy(c->send.buf + off - 12, tmp, n); // Set content length
|
||||
c->is_resp = 0; // Mark response end
|
||||
}
|
||||
#endif
|
||||
|
||||
// Resolve requested file into `path` and return its fs->st() result
|
||||
static int uri_to_path2(struct mg_connection *c, struct mg_http_message *hm,
|
||||
@ -1956,13 +1958,20 @@ static int uri_to_path2(struct mg_connection *c, struct mg_http_message *hm,
|
||||
int flags, tmp;
|
||||
// Append URI to the root_dir, and sanitize it
|
||||
size_t n = mg_snprintf(path, path_size, "%.*s", (int) dir.len, dir.ptr);
|
||||
if (n > path_size) n = path_size;
|
||||
if (n > path_size) {
|
||||
mg_http_reply(c, 400, "", "Exceeded path size");
|
||||
return -1;
|
||||
}
|
||||
path[path_size - 1] = '\0';
|
||||
if (n + 2 < path_size) path[n++] = '/', path[n] = '\0';
|
||||
// Terminate root dir with /
|
||||
if (n + 2 < path_size && path[n-1] != '/') path[n++] = '/', path[n] = '\0';
|
||||
mg_url_decode(hm->uri.ptr + url.len, hm->uri.len - url.len, path + n,
|
||||
path_size - n, 0);
|
||||
path[path_size - 1] = '\0'; // Double-check
|
||||
mg_remove_double_dots(path);
|
||||
if (!mg_path_is_sane(path)) {
|
||||
mg_http_reply(c, 400, "", "Invalid path");
|
||||
return -1;
|
||||
}
|
||||
n = strlen(path);
|
||||
while (n > 1 && path[n - 1] == '/') path[--n] = 0; // Trim trailing slashes
|
||||
flags = mg_vcmp(&hm->uri, "/") == 0 ? MG_FS_DIR : fs->st(path, NULL, NULL);
|
||||
@ -2022,7 +2031,11 @@ void mg_http_serve_dir(struct mg_connection *c, struct mg_http_message *hm,
|
||||
if (flags < 0) {
|
||||
// Do nothing: the response has already been sent by uri_to_path()
|
||||
} else if (flags & MG_FS_DIR) {
|
||||
#if MG_ENABLE_DIRLIST
|
||||
listdir(c, hm, opts, path);
|
||||
#else
|
||||
mg_http_reply(c, 403, "", "Forbidden\n");
|
||||
#endif
|
||||
} else if (flags && sp != NULL &&
|
||||
mg_globmatch(sp, strlen(sp), path, strlen(path))) {
|
||||
mg_http_serve_ssi(c, opts->root_dir, path);
|
||||
@ -5402,25 +5415,14 @@ void mg_unhex(const char *buf, size_t len, unsigned char *to) {
|
||||
}
|
||||
}
|
||||
|
||||
char *mg_remove_double_dots(char *s) {
|
||||
char *saved = s, *p = s;
|
||||
while (*s != '\0') {
|
||||
*p++ = *s++;
|
||||
if (s[-1] == '/' || s[-1] == '\\') {
|
||||
while (s[0] != '\0') {
|
||||
if (s[0] == '/' || s[0] == '\\') {
|
||||
s++;
|
||||
} else if (s[0] == '.' && s[1] == '.' &&
|
||||
(s[2] == '/' || s[2] == '\\')) {
|
||||
s += 2;
|
||||
} else {
|
||||
break;
|
||||
}
|
||||
}
|
||||
bool mg_path_is_sane(const char *path) {
|
||||
const char *s = path;
|
||||
for (; s[0] != '\0'; s++) {
|
||||
if (s == path || s[0] == '/' || s[0] == '\\') { // Subdir?
|
||||
if (s[1] == '.' && s[2] == '.') return false; // Starts with ..
|
||||
}
|
||||
}
|
||||
*p = '\0';
|
||||
return saved;
|
||||
return true;
|
||||
}
|
||||
|
||||
#ifdef MG_ENABLE_LINES
|
||||
|
50
mongoose.h
50
mongoose.h
@ -256,30 +256,30 @@ static inline int mg_mkdir(const char *path, mode_t mode) {
|
||||
#include <pico/stdlib.h>
|
||||
int mkdir(const char *, mode_t);
|
||||
#endif
|
||||
|
||||
|
||||
#if MG_ARCH == MG_ARCH_RTTHREAD
|
||||
|
||||
#include <rtthread.h>
|
||||
#include <ctype.h>
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/select.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdbool.h>
|
||||
#include <stdint.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <sys/types.h>
|
||||
#include <time.h>
|
||||
|
||||
#ifndef MG_IO_SIZE
|
||||
#define MG_IO_SIZE 1460
|
||||
#endif
|
||||
|
||||
#endif // MG_ARCH == MG_ARCH_RTTHREAD
|
||||
|
||||
|
||||
#if MG_ARCH == MG_ARCH_RTTHREAD
|
||||
|
||||
#include <rtthread.h>
|
||||
#include <ctype.h>
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/select.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdbool.h>
|
||||
#include <stdint.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <sys/types.h>
|
||||
#include <time.h>
|
||||
|
||||
#ifndef MG_IO_SIZE
|
||||
#define MG_IO_SIZE 1460
|
||||
#endif
|
||||
|
||||
#endif // MG_ARCH == MG_ARCH_RTTHREAD
|
||||
|
||||
|
||||
#if MG_ARCH == MG_ARCH_ARMCC || MG_ARCH == MG_ARCH_CMSIS_RTOS1 || \
|
||||
@ -859,7 +859,7 @@ char *mg_hex(const void *buf, size_t len, char *dst);
|
||||
void mg_unhex(const char *buf, size_t len, unsigned char *to);
|
||||
unsigned long mg_unhexn(const char *s, size_t len);
|
||||
int mg_check_ip_acl(struct mg_str acl, uint32_t remote_ip);
|
||||
char *mg_remove_double_dots(char *s);
|
||||
bool mg_path_is_sane(const char *path);
|
||||
|
||||
|
||||
|
||||
|
19
src/http.c
19
src/http.c
@ -610,6 +610,7 @@ struct printdirentrydata {
|
||||
const char *dir;
|
||||
};
|
||||
|
||||
#if MG_ENABLE_DIRLIST
|
||||
static void printdirentry(const char *name, void *userdata) {
|
||||
struct printdirentrydata *d = (struct printdirentrydata *) userdata;
|
||||
struct mg_fs *fs = d->opts->fs == NULL ? &mg_fs_posix : d->opts->fs;
|
||||
@ -716,6 +717,7 @@ static void listdir(struct mg_connection *c, struct mg_http_message *hm,
|
||||
memcpy(c->send.buf + off - 12, tmp, n); // Set content length
|
||||
c->is_resp = 0; // Mark response end
|
||||
}
|
||||
#endif
|
||||
|
||||
// Resolve requested file into `path` and return its fs->st() result
|
||||
static int uri_to_path2(struct mg_connection *c, struct mg_http_message *hm,
|
||||
@ -724,13 +726,20 @@ static int uri_to_path2(struct mg_connection *c, struct mg_http_message *hm,
|
||||
int flags, tmp;
|
||||
// Append URI to the root_dir, and sanitize it
|
||||
size_t n = mg_snprintf(path, path_size, "%.*s", (int) dir.len, dir.ptr);
|
||||
if (n > path_size) n = path_size;
|
||||
if (n > path_size) {
|
||||
mg_http_reply(c, 400, "", "Exceeded path size");
|
||||
return -1;
|
||||
}
|
||||
path[path_size - 1] = '\0';
|
||||
if (n + 2 < path_size) path[n++] = '/', path[n] = '\0';
|
||||
// Terminate root dir with /
|
||||
if (n + 2 < path_size && path[n-1] != '/') path[n++] = '/', path[n] = '\0';
|
||||
mg_url_decode(hm->uri.ptr + url.len, hm->uri.len - url.len, path + n,
|
||||
path_size - n, 0);
|
||||
path[path_size - 1] = '\0'; // Double-check
|
||||
mg_remove_double_dots(path);
|
||||
if (!mg_path_is_sane(path)) {
|
||||
mg_http_reply(c, 400, "", "Invalid path");
|
||||
return -1;
|
||||
}
|
||||
n = strlen(path);
|
||||
while (n > 1 && path[n - 1] == '/') path[--n] = 0; // Trim trailing slashes
|
||||
flags = mg_vcmp(&hm->uri, "/") == 0 ? MG_FS_DIR : fs->st(path, NULL, NULL);
|
||||
@ -790,7 +799,11 @@ void mg_http_serve_dir(struct mg_connection *c, struct mg_http_message *hm,
|
||||
if (flags < 0) {
|
||||
// Do nothing: the response has already been sent by uri_to_path()
|
||||
} else if (flags & MG_FS_DIR) {
|
||||
#if MG_ENABLE_DIRLIST
|
||||
listdir(c, hm, opts, path);
|
||||
#else
|
||||
mg_http_reply(c, 403, "", "Forbidden\n");
|
||||
#endif
|
||||
} else if (flags && sp != NULL &&
|
||||
mg_globmatch(sp, strlen(sp), path, strlen(path))) {
|
||||
mg_http_serve_ssi(c, opts->root_dir, path);
|
||||
|
23
src/str.c
23
src/str.c
@ -187,23 +187,12 @@ void mg_unhex(const char *buf, size_t len, unsigned char *to) {
|
||||
}
|
||||
}
|
||||
|
||||
char *mg_remove_double_dots(char *s) {
|
||||
char *saved = s, *p = s;
|
||||
while (*s != '\0') {
|
||||
*p++ = *s++;
|
||||
if (s[-1] == '/' || s[-1] == '\\') {
|
||||
while (s[0] != '\0') {
|
||||
if (s[0] == '/' || s[0] == '\\') {
|
||||
s++;
|
||||
} else if (s[0] == '.' && s[1] == '.' &&
|
||||
(s[2] == '/' || s[2] == '\\')) {
|
||||
s += 2;
|
||||
} else {
|
||||
break;
|
||||
}
|
||||
}
|
||||
bool mg_path_is_sane(const char *path) {
|
||||
const char *s = path;
|
||||
for (; s[0] != '\0'; s++) {
|
||||
if (s == path || s[0] == '/' || s[0] == '\\') { // Subdir?
|
||||
if (s[1] == '.' && s[2] == '.') return false; // Starts with ..
|
||||
}
|
||||
}
|
||||
*p = '\0';
|
||||
return saved;
|
||||
return true;
|
||||
}
|
||||
|
@ -35,4 +35,4 @@ char *mg_hex(const void *buf, size_t len, char *dst);
|
||||
void mg_unhex(const char *buf, size_t len, unsigned char *to);
|
||||
unsigned long mg_unhexn(const char *s, size_t len);
|
||||
int mg_check_ip_acl(struct mg_str acl, uint32_t remote_ip);
|
||||
char *mg_remove_double_dots(char *s);
|
||||
bool mg_path_is_sane(const char *path);
|
||||
|
@ -643,11 +643,13 @@ static void eh1(struct mg_connection *c, int ev, void *ev_data, void *fn_data) {
|
||||
} else if (mg_http_match_uri(hm, "/upload")) {
|
||||
char path[80], name[64];
|
||||
mg_http_get_var(&hm->query, "name", name, sizeof(name));
|
||||
mg_snprintf(path, sizeof(path), "./%s", name);
|
||||
if (name[0] == '\0') {
|
||||
mg_http_reply(c, 400, "", "%s", "name required");
|
||||
} else if (!mg_path_is_sane(path)) {
|
||||
mg_http_reply(c, 400, "", "%s", "invalid path");
|
||||
} else {
|
||||
mg_snprintf(path, sizeof(path), "./%s", name);
|
||||
mg_http_upload(c, hm, &mg_fs_posix, mg_remove_double_dots(path), 99999);
|
||||
mg_http_upload(c, hm, &mg_fs_posix, path, 99999);
|
||||
c->is_hexdumping = 1;
|
||||
}
|
||||
} else if (mg_http_match_uri(hm, "/test/")) {
|
||||
@ -854,11 +856,11 @@ static void test_http_server(void) {
|
||||
ASSERT(fetch(&mgr, buf, url, "GET /київ.txt HTTP/1.0\n\n") == 200);
|
||||
ASSERT(cmpbody(buf, "є\n") == 0);
|
||||
|
||||
ASSERT(fetch(&mgr, buf, url, "GET /../fuzz.c HTTP/1.0\n\n") == 404);
|
||||
ASSERT(fetch(&mgr, buf, url, "GET /.%%2e/fuzz.c HTTP/1.0\n\n") == 404);
|
||||
ASSERT(fetch(&mgr, buf, url, "GET /.%%2e%%2ffuzz.c HTTP/1.0\n\n") == 404);
|
||||
ASSERT(fetch(&mgr, buf, url, "GET /..%%2f%%20fuzz.c HTTP/1.0\n\n") == 404);
|
||||
ASSERT(fetch(&mgr, buf, url, "GET /..%%2ffuzz.c%%20 HTTP/1.0\n\n") == 404);
|
||||
ASSERT(fetch(&mgr, buf, url, "GET /../fuzz.c HTTP/1.0\n\n") == 400);
|
||||
ASSERT(fetch(&mgr, buf, url, "GET /.%%2e/fuzz.c HTTP/1.0\n\n") == 400);
|
||||
ASSERT(fetch(&mgr, buf, url, "GET /.%%2e%%2ffuzz.c HTTP/1.0\n\n") == 400);
|
||||
ASSERT(fetch(&mgr, buf, url, "GET /..%%2f%%20fuzz.c HTTP/1.0\n\n") == 400);
|
||||
ASSERT(fetch(&mgr, buf, url, "GET /..%%2ffuzz.c%%20 HTTP/1.0\n\n") == 400);
|
||||
|
||||
ASSERT(fetch(&mgr, buf, url, "GET /dredir HTTP/1.0\n\n") == 301);
|
||||
ASSERT(cmpheader(buf, "Location", "/dredir/"));
|
||||
@ -884,9 +886,8 @@ static void test_http_server(void) {
|
||||
ASSERT(cmpheader(buf, "Content-Encoding", "gzip") == true);
|
||||
ASSERT(gethm(buf).body.len == 23);
|
||||
|
||||
ASSERT(fetch(&mgr, buf, url, "GET /..ddot HTTP/1.0\n\n") == 301);
|
||||
ASSERT(fetch(&mgr, buf, url, "GET /..ddot/ HTTP/1.0\n\n") == 200);
|
||||
ASSERT(cmpbody(buf, "hi\n") == 0);
|
||||
ASSERT(fetch(&mgr, buf, url, "GET /..ddot HTTP/1.0\n\n") == 400);
|
||||
ASSERT(fetch(&mgr, buf, url, "GET /..ddot/ HTTP/1.0\n\n") == 400);
|
||||
ASSERT(fetch(&mgr, buf, url,
|
||||
"GET /a.txt HTTP/1.0\n"
|
||||
"Content-Length: -123\n\n") == 0);
|
||||
@ -1048,7 +1049,7 @@ static void test_http_server(void) {
|
||||
remove("uploaded.txt");
|
||||
ASSERT((p = mg_file_read(&mg_fs_posix, "uploaded.txt", NULL)) == NULL);
|
||||
ASSERT(fetch(&mgr, buf, url,
|
||||
"POST /upload?name=../uploaded.txt HTTP/1.0\r\n"
|
||||
"POST /upload?name=uploaded.txt HTTP/1.0\r\n"
|
||||
"Content-Length: 5\r\n"
|
||||
"\r\nhello") == 200);
|
||||
ASSERT((p = mg_file_read(&mg_fs_posix, "uploaded.txt", NULL)) != NULL);
|
||||
|
Loading…
Reference in New Issue
Block a user