[openssl] master update
Matt Caswell
matt at openssl.org
Mon Oct 28 13:24:49 UTC 2019
The branch master has been updated
via 0a4d6c67480a4d2fce514e08d3efe571f2ee99c9 (commit)
from c549cb46e0d3cb4e611acafae5f919b4a8df4007 (commit)
- Log -----------------------------------------------------------------
commit 0a4d6c67480a4d2fce514e08d3efe571f2ee99c9
Author: Matt Caswell <matt at openssl.org>
Date: Fri Oct 18 16:40:44 2019 +0100
Fix an s_server arbitrary file read issue on Windows
Running s_server in WWW mode on Windows can allow a client to read files
outside the s_server directory by including backslashes in the name, e.g.
GET /..\myfile.txt HTTP/1.0
There exists a check for this for Unix paths but it is not sufficient
for Windows.
Since s_server is a test tool no CVE is assigned.
Thanks to Jobert Abma for reporting this.
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10215)
-----------------------------------------------------------------------
Summary of changes:
apps/s_server.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/apps/s_server.c b/apps/s_server.c
index 0380468080..5f58ef68fe 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -3211,6 +3211,12 @@ static int www_body(int s, int stype, int prot, unsigned char *context)
if (e[0] == ' ')
break;
+ if (e[0] == ':') {
+ /* Windows drive. We treat this the same way as ".." */
+ dot = -1;
+ break;
+ }
+
switch (dot) {
case 1:
dot = (e[0] == '.') ? 2 : 0;
@@ -3219,11 +3225,11 @@ static int www_body(int s, int stype, int prot, unsigned char *context)
dot = (e[0] == '.') ? 3 : 0;
break;
case 3:
- dot = (e[0] == '/') ? -1 : 0;
+ dot = (e[0] == '/' || e[0] == '\\') ? -1 : 0;
break;
}
if (dot == 0)
- dot = (e[0] == '/') ? 1 : 0;
+ dot = (e[0] == '/' || e[0] == '\\') ? 1 : 0;
}
dot = (dot == 3) || (dot == -1); /* filename contains ".."
* component */
@@ -3237,11 +3243,11 @@ static int www_body(int s, int stype, int prot, unsigned char *context)
if (dot) {
BIO_puts(io, text);
- BIO_printf(io, "'%s' contains '..' reference\r\n", p);
+ BIO_printf(io, "'%s' contains '..' or ':'\r\n", p);
break;
}
- if (*p == '/') {
+ if (*p == '/' || *p == '\\') {
BIO_puts(io, text);
BIO_printf(io, "'%s' is an invalid path\r\n", p);
break;
More information about the openssl-commits
mailing list