Don't allow colons in web-requested path names on Windows

This fixes issue #269 (NTFS Alternate Data Stream vulnerability) and other potential pathname issues on Windows involving colons. There are other illegal filename characters on Windows (e.g. <>|"?*), but filenames with these characters aren't expected to pass the later stat() test, so should fail with a 404 error.

Don't allow colons in web-requested path names on Windows
a487e0c6 · Rob Swindell · 9f789457 · a487e0c6
Commit a487e0c6 authored 3 years ago by Rob Swindell
--- a/src/sbbs3/websrvr.c
+++ b/src/sbbs3/websrvr.c
@@ -3148,6 +3148,15 @@ static BOOL is_legal_host(const char *host, BOOL strip_port)
 	return TRUE;
 }

+static BOOL is_legal_path(const char* path)
+{
+#ifdef _WIN32	// Fix for Issue 269 (NTFS Alternate Data Stream vulnerability) and other potential unexpected pathname issues on Windows
+	if (strchr(path, ':') != NULL)
+		return FALSE;
+#endif
+	return TRUE;
+}
+
 static BOOL get_req(http_session_t * session, char *request_line)
 {
 	char	req_line[MAX_REQUEST_LINE+1];
@@ -3198,6 +3207,10 @@ static BOOL get_req(http_session_t * session, char *request_line)
 				send_error(session,__LINE__,"400 Bad Request");
 				return FALSE;
 			}
+			if (!is_legal_path(session->req.physical_path)) {
+				send_error(session,__LINE__,"400 Bad Request");
+				return FALSE;
+			}
 			if(!get_fullpath(session)) {
 				send_error(session,__LINE__,error_500);
 				return(FALSE);