httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Kennedy <jkenn...@pingidentity.com>
Subject Re: Preventing Path Traversal Attack
Date Mon, 08 Dec 2014 14:07:41 GMT
HI Yann,

The variable "r" is the request_rec that is passed into the module's
handler hook. Based on my testing, r->unparsed_uri does indeed have a space
(it's not encoded to %20).

I need to compare against an unparsed URI because r->uri is vulnerable to a
path traversal attack. For instance, this:
http://abc.me/unprotected_path/../protected_path
becomes:
http://abc.me/protected_path

Maybe I'm going about it the wrong way, so I'm hoping for some guidance
from more experienced developers.

Thank you,

On Thu, Dec 4, 2014 at 6:33 PM, Yann Ylavic <ylavic.dev@gmail.com> wrote:

> Hello,
>
> On Thu, Dec 4, 2014 at 4:20 PM, Justin Kennedy
> <jkennedy@pingidentity.com> wrote:
> > Here is the code in question:
> >
> > /* ensure r->uri and r->unparsed_uri are similar to prevent path
> traversal
> > attacks */
> >
> >   unparsed_uri = apr_pstrdup(r->pool, r->unparsed_uri);
> >
> > /* get the unparsed base uri (everything up to '?') */
> >   unparsed_uri_base = apr_strtok(unparsed_uri, "?", &buf);
> >
> >   buf = strstr(r->uri, unparsed_uri_base);
> >
> > /*** ISSUE: If there is a space in the URL then r->uri will have the
> > encoded space as %20 and r->unparsed_uri will not */
>
> There can't be a space in the HTTP URL received by httpd, the space
> must %20-escaped (urlencoded) by the client to form a valid HTTP
> request line.
> Hence both r->unparsed_uri and r->uri should have the %20 (see
> read_request_line() and ap_parse_uri()), unlike r->parsed_uri.path
> which is later ap_unescape()d in ap_process_request_internal(), where
> r->uri is also sanitized against all forms dot-slashes.
>
> >
> >   /* compare unparsed base with parsed uri */
> >   if(buf == NULL || strlen(r->uri) != strlen(buf)) {
>
> Where does this r->uri come from?
>
> >     error(
> >       cfg,
> >       "Malformed URI"
> >     );
> >     return HTTP_INTERNAL_SERVER_ERROR;
> >   }
>
> Regards,
> Yann.
>



-- 
   [image: Ping Identity logo] <https://www.pingidentity.com/>
Justin Kennedy
Sr. Development Engineer
  @ jkennedy@pingidentity.com  [image: phone] +1 604.697.7055  Connect with
us…  [image: twitter logo] <https://twitter.com/pingidentity> [image:
youtube logo] <https://www.youtube.com/user/PingIdentityTV> [image:
LinkedIn logo] <https://www.linkedin.com/company/21870> [image: Facebook
logo] <https://www.facebook.com/pingidentitypage> [image: Google+ logo]
<https://plus.google.com/u/0/114266977739397708540> [image: slideshare logo]
<http://www.slideshare.net/PingIdentity> [image: flipboard logo]
<http://flip.it/vjBF7> [image: rss feed icon]
<https://www.pingidentity.com/blogs/>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message