httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Kennedy <jkenn...@pingidentity.com>
Subject Preventing Path Traversal Attack
Date Thu, 04 Dec 2014 15:20:03 GMT
Good day,

In my handler hook I've implemented some code in an attempt to prevent this
attack. Unfortunately it doesn't take into account that there might be
spaces in the URL. Has anyone already overcome this or can provide a proper
solution?

Here is the code in question:

/* ensure r->uri and r->unparsed_uri are similar to prevent path traversal
attacks */

  unparsed_uri = apr_pstrdup(r->pool, r->unparsed_uri);

/* get the unparsed base uri (everything up to '?') */
  unparsed_uri_base = apr_strtok(unparsed_uri, "?", &buf);

  buf = strstr(r->uri, unparsed_uri_base);

/*** ISSUE: If there is a space in the URL then r->uri will have the
encoded space as %20 and r->unparsed_uri will not */

  /* compare unparsed base with parsed uri */
  if(buf == NULL || strlen(r->uri) != strlen(buf)) {
    error(
      cfg,
      "Malformed URI"
    );
    return HTTP_INTERNAL_SERVER_ERROR;
  }

-- 
   [image: Ping Identity logo] <https://www.pingidentity.com/>
Justin Kennedy
Sr. Development Engineer
  @ jkennedy@pingidentity.com  [image: phone] +1 604.697.7055  Connect with
us…  [image: twitter logo] <https://twitter.com/pingidentity> [image:
youtube logo] <https://www.youtube.com/user/PingIdentityTV> [image:
LinkedIn logo] <https://www.linkedin.com/company/21870> [image: Facebook
logo] <https://www.facebook.com/pingidentitypage> [image: Google+ logo]
<https://plus.google.com/u/0/114266977739397708540> [image: slideshare logo]
<http://www.slideshare.net/PingIdentity> [image: flipboard logo]
<http://flip.it/vjBF7> [image: rss feed icon]
<https://www.pingidentity.com/blogs/>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message