Commit c8f565b0 authored by Philipp Schafft's avatar Philipp Schafft 🦁

Update: SECURITY File extension check for trailing characters

This changes the file extension check in a way that it no longer
ignores trailing characters. This significantly reduces the risk
for false positives while matching. However this invalidates old
setups with files like foo.xsl3. However I have never files like
that in the wild.

This is based on the patch privided by ePirat in ticket #2248.

See: #2248
parent 805084cc
......@@ -197,35 +197,23 @@ char *util_get_extension(const char *path) {
}
int util_check_valid_extension(const char *uri) {
int ret = 0;
char *p2;
const char *p2;
if (!uri)
return UNKNOWN_CONTENT;
if (uri) {
p2 = strrchr(uri, '.');
if (p2) {
if (!p2)
return UNKNOWN_CONTENT;
p2++;
if (strncmp(p2, "xsl", strlen("xsl")) == 0) {
/* Build the full path for the request, concatenating the webroot from the config.
** Here would be also a good time to prevent accesses like '../../../../etc/passwd' or somesuch.
*/
ret = XSLT_CONTENT;
}
if (strncmp(p2, "htm", strlen("htm")) == 0) {
/* Build the full path for the request, concatenating the webroot from the config.
** Here would be also a good time to prevent accesses like '../../../../etc/passwd' or somesuch.
*/
ret = HTML_CONTENT;
}
if (strncmp(p2, "html", strlen("html")) == 0) {
/* Build the full path for the request, concatenating the webroot from the config.
** Here would be also a good time to prevent accesses like '../../../../etc/passwd' or somesuch.
*/
ret = HTML_CONTENT;
}
if (strcmp(p2, "xsl") == 0 || strcmp(p2, "xslt") == 0) {
return XSLT_CONTENT;
} else if (strcmp(p2, "htm") == 0 || strcmp(p2, "html") == 0) {
return HTML_CONTENT;
}
}
return ret;
return UNKNOWN_CONTENT;
}
static int hex(char c)
......
......@@ -17,6 +17,7 @@
/* for FILE* */
#include <stdio.h>
#define UNKNOWN_CONTENT 0
#define XSLT_CONTENT 1
#define HTML_CONTENT 2
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment