SoupServer: fix to not allow smuggling ".." into path

When SoupServer:raw-paths was set (the default), it was possible to sneak ".." segments into the path passed to the SoupServerHandler, which could then end up tricking some handlers into retrieving arbitrary files from the filesystem. Fix that. https://bugzilla.gnome.org/show_bug.cgi?id=653258
author: Dan Winship <danw@gnome.org> 2011-06-29 10:04:06 -0400
committer: Dan Winship <danw@gnome.org> 2011-07-28 08:49:42 -0400
commit: cbeeb7a0f7f0e8b16f2d382157496f9100218dea (patch)
tree: d16120180dd80df07e3116123a4df050ab6ba036
parent: 48da81884eb7ce926eb34b8ba337ab099f5a59bc (diff)
download: libsoup-cbeeb7a0f7f0e8b16f2d382157496f9100218dea.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/libsoup/soup-server.c b/libsoup/soup-server.c
index d56efd13..72253376 100644
--- a/libsoup/soup-server.c
+++ b/libsoup/soup-server.c
@@ -779,6 +779,15 @@ got_headers (SoupMessage *req, SoupClientContext *client)
 
 		uri = soup_message_get_uri (req);
 		decoded_path = soup_uri_decode (uri->path);
+
+		if (strstr (decoded_path, "/../") ||
+		    g_str_has_suffix (decoded_path, "/..")) {
+			/* Introducing new ".." segments is not allowed */
+			g_free (decoded_path);
+			soup_message_set_status (req, SOUP_STATUS_BAD_REQUEST);
+			return;
+		}
+
 		soup_uri_set_path (uri, decoded_path);
 		g_free (decoded_path);
 	}
author	Dan Winship <danw@gnome.org>	2011-06-29 10:04:06 -0400
committer	Dan Winship <danw@gnome.org>	2011-07-28 08:49:42 -0400
commit	cbeeb7a0f7f0e8b16f2d382157496f9100218dea (patch)
tree	d16120180dd80df07e3116123a4df050ab6ba036
parent	48da81884eb7ce926eb34b8ba337ab099f5a59bc (diff)
download	libsoup-cbeeb7a0f7f0e8b16f2d382157496f9100218dea.tar.gz