Commit c8f565b0 authored by Philipp Schafft's avatar Philipp Schafft 🦁

Update: SECURITY File extension check for trailing characters

This changes the file extension check in a way that it no longer
ignores trailing characters. This significantly reduces the risk
for false positives while matching. However this invalidates old
setups with files like foo.xsl3. However I have never files like
that in the wild.

This is based on the patch privided by ePirat in ticket #2248.

See: #2248
parent 805084cc
...@@ -197,35 +197,23 @@ char *util_get_extension(const char *path) { ...@@ -197,35 +197,23 @@ char *util_get_extension(const char *path) {
} }
int util_check_valid_extension(const char *uri) { int util_check_valid_extension(const char *uri) {
int ret = 0; const char *p2;
char *p2;
if (!uri)
return UNKNOWN_CONTENT;
if (uri) {
p2 = strrchr(uri, '.'); p2 = strrchr(uri, '.');
if (p2) { if (!p2)
return UNKNOWN_CONTENT;
p2++; p2++;
if (strncmp(p2, "xsl", strlen("xsl")) == 0) {
/* Build the full path for the request, concatenating the webroot from the config.
** Here would be also a good time to prevent accesses like '../../../../etc/passwd' or somesuch.
*/
ret = XSLT_CONTENT;
}
if (strncmp(p2, "htm", strlen("htm")) == 0) {
/* Build the full path for the request, concatenating the webroot from the config.
** Here would be also a good time to prevent accesses like '../../../../etc/passwd' or somesuch.
*/
ret = HTML_CONTENT;
}
if (strncmp(p2, "html", strlen("html")) == 0) {
/* Build the full path for the request, concatenating the webroot from the config.
** Here would be also a good time to prevent accesses like '../../../../etc/passwd' or somesuch.
*/
ret = HTML_CONTENT;
}
if (strcmp(p2, "xsl") == 0 || strcmp(p2, "xslt") == 0) {
return XSLT_CONTENT;
} else if (strcmp(p2, "htm") == 0 || strcmp(p2, "html") == 0) {
return HTML_CONTENT;
} }
}
return ret; return UNKNOWN_CONTENT;
} }
static int hex(char c) static int hex(char c)
......
...@@ -17,6 +17,7 @@ ...@@ -17,6 +17,7 @@
/* for FILE* */ /* for FILE* */
#include <stdio.h> #include <stdio.h>
#define UNKNOWN_CONTENT 0
#define XSLT_CONTENT 1 #define XSLT_CONTENT 1
#define HTML_CONTENT 2 #define HTML_CONTENT 2
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment