[openssl] OpenSSL_1_1_1-stable update
Matt Caswell
matt at openssl.org
Mon Oct 28 13:25:02 UTC 2019
The branch OpenSSL_1_1_1-stable has been updated
via 325c9ac198c822ca634a12d3856341c5044c66d0 (commit)
from 3a9080d6f486c270457b9f2b0da15d2702539f98 (commit)
- Log -----------------------------------------------------------------
commit 325c9ac198c822ca634a12d3856341c5044c66d0
Author: Matt Caswell <matt at openssl.org>
Date: Fri Oct 18 16:40:44 2019 +0100
Fix an s_server arbitrary file read issue on Windows
Running s_server in WWW mode on Windows can allow a client to read files
outside the s_server directory by including backslashes in the name, e.g.
GET /..\myfile.txt HTTP/1.0
There exists a check for this for Unix paths but it is not sufficient
for Windows.
Since s_server is a test tool no CVE is assigned.
Thanks to Jobert Abma for reporting this.
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10215)
(cherry picked from commit 0a4d6c67480a4d2fce514e08d3efe571f2ee99c9)
-----------------------------------------------------------------------
Summary of changes:
apps/s_server.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/apps/s_server.c b/apps/s_server.c
index b80032c76c..2248a432e2 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -3205,6 +3205,12 @@ static int www_body(int s, int stype, int prot, unsigned char *context)
if (e[0] == ' ')
break;
+ if (e[0] == ':') {
+ /* Windows drive. We treat this the same way as ".." */
+ dot = -1;
+ break;
+ }
+
switch (dot) {
case 1:
dot = (e[0] == '.') ? 2 : 0;
@@ -3213,11 +3219,11 @@ static int www_body(int s, int stype, int prot, unsigned char *context)
dot = (e[0] == '.') ? 3 : 0;
break;
case 3:
- dot = (e[0] == '/') ? -1 : 0;
+ dot = (e[0] == '/' || e[0] == '\\') ? -1 : 0;
break;
}
if (dot == 0)
- dot = (e[0] == '/') ? 1 : 0;
+ dot = (e[0] == '/' || e[0] == '\\') ? 1 : 0;
}
dot = (dot == 3) || (dot == -1); /* filename contains ".."
* component */
@@ -3231,11 +3237,11 @@ static int www_body(int s, int stype, int prot, unsigned char *context)
if (dot) {
BIO_puts(io, text);
- BIO_printf(io, "'%s' contains '..' reference\r\n", p);
+ BIO_printf(io, "'%s' contains '..' or ':'\r\n", p);
break;
}
- if (*p == '/') {
+ if (*p == '/' || *p == '\\') {
BIO_puts(io, text);
BIO_printf(io, "'%s' is an invalid path\r\n", p);
break;
More information about the openssl-commits
mailing list