mirror of https://github.com/omar-polo/gmid.git
fix IRI-parsing bug
Some particularly crafted IRIs can cause a denial of service (DOS). IRIs which have a trailing `..' segment and resolve to a valid IRI (i.e. a .. that's not escaping the root directory) will make the server process loop forever. This is """just""" an DOS vulnerability, it doesn't expose anything sensitive or give an attacker anything else.
This commit is contained in:
parent
f2522b4313
commit
9d092b607a
6
iri.c
6
iri.c
|
@ -272,9 +272,13 @@ path_clean(char *path)
|
|||
}
|
||||
|
||||
/* 3. eliminate each inner .. along with the preceding non-.. */
|
||||
for (i = strstr(path, "../"); i != NULL; i = strstr(path, ".."))
|
||||
for (i = strstr(path, "../"); i != NULL; i = strstr(path, "..")) {
|
||||
/* break if we've found a trailing .. */
|
||||
if (i[2] == '\0')
|
||||
break;
|
||||
if (!path_elide_dotdot(path, i, 3))
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* 4. eliminate trailing ..*/
|
||||
if ((i = strstr(path, "..")) != NULL)
|
||||
|
|
|
@ -194,6 +194,10 @@ main(void)
|
|||
PASS,
|
||||
IRI("gemini", "omarpolo.com", "", "foo", "", ""),
|
||||
"Trim initial slashes (pt. 2)");
|
||||
TEST("http://a/b/c/../..",
|
||||
PASS,
|
||||
IRI("http", "a", "", "", "", ""),
|
||||
"avoid infinite loops (see v1.6.1)");
|
||||
|
||||
/* query */
|
||||
TEST("foo://example.com/foo/?gne",
|
||||
|
|
Loading…
Reference in New Issue