src/t/test_mod_alias.c


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111

#include "first.h"

#undef NDEBUG
#include <assert.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>

#include "mod_alias.c"

static void test_mod_alias_check(void) {
    request_st r;
    memset(&r, 0, sizeof(request_st));
    array * const aliases = array_init(3);

    /*(empty list; should not happen in practice)*/
    buffer_copy_string_len(&r.physical.basedir, CONST_STR_LEN("/tmp"));
    buffer_copy_string_len(&r.physical.path, CONST_STR_LEN("/tmp/"));
    assert(HANDLER_GO_ON == mod_alias_remap(&r, aliases));

    /* Use-after-free bug in mod_alias
     * https://redmine.lighttpd.net/issues/3114 */
    buffer_copy_string_len(&r.physical.basedir, CONST_STR_LEN("/tmp"));
    buffer_copy_string_len(&r.physical.path, CONST_STR_LEN("/tmp/"));
    array_reset_data_strings(aliases);
    array_set_key_value(aliases, CONST_STR_LEN("/"), CONST_STR_LEN(
      "/very-long-path/longer-than-64/intended-to-trigger-str-reallocation/"));
    assert(HANDLER_GO_ON == mod_alias_remap(&r, aliases));
    assert(0 == strcmp(r.physical.basedir.ptr,
      "/very-long-path/longer-than-64/intended-to-trigger-str-reallocation/"));
    assert(0 == strcmp(r.physical.path.ptr,
      "/very-long-path/longer-than-64/intended-to-trigger-str-reallocation/"));

    /*(admin should prefer to match dirs with trailing '/', but test w/o)*/
    buffer_copy_string_len(&r.physical.basedir, CONST_STR_LEN("/tmp/"));
    buffer_copy_string_len(&r.physical.path, CONST_STR_LEN("/tmp/"));
    array_reset_data_strings(aliases);
    array_set_key_value(aliases, CONST_STR_LEN("/"), CONST_STR_LEN("/var/tmp"));
    assert(HANDLER_GO_ON == mod_alias_remap(&r, aliases));
    assert(0 == strcmp(r.physical.basedir.ptr, "/var/tmp"));
    assert(0 == strcmp(r.physical.path.ptr, "/var/tmp"));

    buffer_copy_string_len(&r.physical.basedir, CONST_STR_LEN("/tmp"));
    buffer_copy_string_len(&r.physical.path, CONST_STR_LEN("/tmp/foo"));
    array_reset_data_strings(aliases);
    array_set_key_value(aliases, CONST_STR_LEN("/foo"),
                                 CONST_STR_LEN("/var/tmp/"));
    assert(HANDLER_GO_ON == mod_alias_remap(&r, aliases));
    assert(0 == strcmp(r.physical.basedir.ptr, "/var/tmp/"));
    assert(0 == strcmp(r.physical.path.ptr, "/var/tmp/"));

    buffer_copy_string_len(&r.physical.basedir, CONST_STR_LEN("/tmp"));
    buffer_copy_string_len(&r.physical.path, CONST_STR_LEN("/tmp/fooddd"));
    array_reset_data_strings(aliases);
    array_set_key_value(aliases, CONST_STR_LEN("/foo"),
                                 CONST_STR_LEN("/var/tmp/"));
    assert(HANDLER_GO_ON == mod_alias_remap(&r, aliases));
    assert(0 == strcmp(r.physical.basedir.ptr, "/var/tmp/"));
    assert(0 == strcmp(r.physical.path.ptr, "/var/tmp/ddd"));

    /* security: path traversal in mod_alias (in some use cases)
     * https://redmine.lighttpd.net/issues/2898 */
    buffer_copy_string_len(&r.physical.basedir, CONST_STR_LEN("/tmp"));
    buffer_copy_string_len(&r.physical.path, CONST_STR_LEN("/tmp/foo../bad"));
    array_reset_data_strings(aliases);
    array_set_key_value(aliases, CONST_STR_LEN("/foo"),
                                 CONST_STR_LEN("/var/tmp/"));
    assert(HANDLER_FINISHED == mod_alias_remap(&r, aliases));
    assert(403 == r.http_status);
    r.http_status = 0;

    /* replacement longer */
    buffer_copy_string_len(&r.physical.basedir, CONST_STR_LEN("/tmp"));
    buffer_copy_string_len(&r.physical.path, CONST_STR_LEN("/tmp/foo/x"));
    array_reset_data_strings(aliases);
    array_set_key_value(aliases, CONST_STR_LEN("/foo/"),
                                 CONST_STR_LEN("/opt/var/tmp/"));
    assert(HANDLER_GO_ON == mod_alias_remap(&r, aliases));
    assert(0 == strcmp(r.physical.basedir.ptr, "/opt/var/tmp/"));
    assert(0 == strcmp(r.physical.path.ptr, "/opt/var/tmp/x"));

    /* replacement shorter */
    buffer_copy_string_len(&r.physical.basedir, CONST_STR_LEN("/tmp"));
    buffer_copy_string_len(&r.physical.path, CONST_STR_LEN("/tmp/foo/x"));
    array_reset_data_strings(aliases);
    array_set_key_value(aliases, CONST_STR_LEN("/foo/"),
                                 CONST_STR_LEN("/ba/"));
    assert(HANDLER_GO_ON == mod_alias_remap(&r, aliases));
    assert(0 == strcmp(r.physical.basedir.ptr, "/ba/"));
    assert(0 == strcmp(r.physical.path.ptr, "/ba/x"));

    /* replacement same length */
    buffer_copy_string_len(&r.physical.basedir, CONST_STR_LEN("/tmp"));
    buffer_copy_string_len(&r.physical.path, CONST_STR_LEN("/tmp/foo/x"));
    array_reset_data_strings(aliases);
    array_set_key_value(aliases, CONST_STR_LEN("/foo/"),
                                 CONST_STR_LEN("/var/tmp/"));
    assert(HANDLER_GO_ON == mod_alias_remap(&r, aliases));
    assert(0 == strcmp(r.physical.basedir.ptr, "/var/tmp/"));
    assert(0 == strcmp(r.physical.path.ptr, "/var/tmp/x"));

    array_free(aliases);
    free(r.physical.path.ptr);
    free(r.physical.basedir.ptr);
}

void test_mod_alias (void);
void test_mod_alias (void)
{
    test_mod_alias_check();
}