Synchronet now requires the libarchive development package (e.g. libarchive-dev on Debian-based Linux distros, libarchive.org for more info) to build successfully.

Commit a487e0c6 authored by Rob Swindell's avatar Rob Swindell 💬

Don't allow colons in web-requested path names on Windows

This fixes issue #269 (NTFS Alternate Data Stream vulnerability) and other
potential pathname issues on Windows involving colons.

There are other illegal filename characters on Windows (e.g. <>|"?*), but
filenames with these characters aren't expected to pass the later stat() test,
so should fail with a 404 error.
parent 9f789457
Pipeline #2348 passed with stage
in 8 minutes and 48 seconds
......@@ -3148,6 +3148,15 @@ static BOOL is_legal_host(const char *host, BOOL strip_port)
return TRUE;
}
static BOOL is_legal_path(const char* path)
{
#ifdef _WIN32 // Fix for Issue 269 (NTFS Alternate Data Stream vulnerability) and other potential unexpected pathname issues on Windows
if (strchr(path, ':') != NULL)
return FALSE;
#endif
return TRUE;
}
static BOOL get_req(http_session_t * session, char *request_line)
{
char req_line[MAX_REQUEST_LINE+1];
......@@ -3198,6 +3207,10 @@ static BOOL get_req(http_session_t * session, char *request_line)
send_error(session,__LINE__,"400 Bad Request");
return FALSE;
}
if (!is_legal_path(session->req.physical_path)) {
send_error(session,__LINE__,"400 Bad Request");
return FALSE;
}
if(!get_fullpath(session)) {
send_error(session,__LINE__,error_500);
return(FALSE);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment