httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: Preventing Path Traversal Attack
Date Thu, 04 Dec 2014 22:33:48 GMT
Hello,

On Thu, Dec 4, 2014 at 4:20 PM, Justin Kennedy
<jkennedy@pingidentity.com> wrote:
> Here is the code in question:
>
> /* ensure r->uri and r->unparsed_uri are similar to prevent path traversal
> attacks */
>
>   unparsed_uri = apr_pstrdup(r->pool, r->unparsed_uri);
>
> /* get the unparsed base uri (everything up to '?') */
>   unparsed_uri_base = apr_strtok(unparsed_uri, "?", &buf);
>
>   buf = strstr(r->uri, unparsed_uri_base);
>
> /*** ISSUE: If there is a space in the URL then r->uri will have the
> encoded space as %20 and r->unparsed_uri will not */

There can't be a space in the HTTP URL received by httpd, the space
must %20-escaped (urlencoded) by the client to form a valid HTTP
request line.
Hence both r->unparsed_uri and r->uri should have the %20 (see
read_request_line() and ap_parse_uri()), unlike r->parsed_uri.path
which is later ap_unescape()d in ap_process_request_internal(), where
r->uri is also sanitized against all forms dot-slashes.

>
>   /* compare unparsed base with parsed uri */
>   if(buf == NULL || strlen(r->uri) != strlen(buf)) {

Where does this r->uri come from?

>     error(
>       cfg,
>       "Malformed URI"
>     );
>     return HTTP_INTERNAL_SERVER_ERROR;
>   }

Regards,
Yann.

Mime
View raw message