diff options
| author |   schwarze <schwarze@openbsd.org> | 2014-07-19 11:35:09 +0000 |
|---|---|---|
| committer | schwarze <schwarze@openbsd.org> | 2014-07-19 11:35:09 +0000 |
| commit | 8147578414af9663e24289e895fc689a48a1de06 (patch) | |
| tree | 4e7bb0f18ed8fd4261515e76cc90b568213e898b /usr.bin/mandoc/cgi.c | |
| parent | Document that abort() is async signal safe now that it doesn't flush (diff) | |
| download | wireguard-openbsd-8147578414af9663e24289e895fc689a48a1de06.tar.xz wireguard-openbsd-8147578414af9663e24289e895fc689a48a1de06.zip | |
Security fix:
Validate the name of the file to show before opening it.
Only allow relative filenames starting with "man" or "cat"
and containing neither "/.." nor "../".
While here, correct the condition discarding an initial "./".
Vulnerability found by Sebastien Marie <semarie-openbsd at latrappe dot fr>.
Many thanks for sending a patch; however, i did not use it but made the
checks even stricter.
Diffstat (limited to 'usr.bin/mandoc/cgi.c')
| -rw-r--r-- | usr.bin/mandoc/cgi.c | 31 |
1 files changed, 29 insertions, 2 deletions
diff --git a/usr.bin/mandoc/cgi.c b/usr.bin/mandoc/cgi.c index bfe8b605c0a..bf175c8e4b9 100644 --- a/usr.bin/mandoc/cgi.c +++ b/usr.bin/mandoc/cgi.c @@ -1,4 +1,4 @@ -/* $Id: cgi.c,v 1.15 2014/07/18 19:02:07 schwarze Exp $ */ +/* $Id: cgi.c,v 1.16 2014/07/19 11:35:09 schwarze Exp $ */ /* * Copyright (c) 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv> * Copyright (c) 2014 Ingo Schwarze <schwarze@usta.de> @@ -462,6 +462,17 @@ resp_searchform(const struct req *req) puts("<!-- End search form. //-->"); } +static int +validate_filename(const char *file) +{ + + if ('.' == file[0] && '/' == file[1]) + file += 2; + + return ( ! (strstr(file, "../") || strstr(file, "/..") || + (strncmp(file, "man", 3) && strncmp(file, "cat", 3)))); +} + static void pg_index(const struct req *req) { @@ -519,6 +530,15 @@ pg_searchres(const struct req *req, struct manpage *r, size_t sz) int prio, priouse; char sec; + for (i = 0; i < sz; i++) { + if (validate_filename(r[i].file)) + continue; + fprintf(stderr, "invalid filename %s in %s database\n", + r[i].file, req->q.manpath); + pg_error_internal(); + return; + } + if (1 == sz) { /* * If we have just one result, then jump there now @@ -773,7 +793,8 @@ format(const struct req *req, const char *file) static void resp_show(const struct req *req, const char *file) { - if ('.' == file[0] || '/' == file[1]) + + if ('.' == file[0] && '/' == file[1]) file += 2; if ('c' == *file) @@ -806,6 +827,12 @@ pg_show(const struct req *req, const char *path) return; } + if ( ! validate_filename(sub)) { + pg_error_badrequest( + "You specified an invalid manual file."); + return; + } + resp_begin_html(200, NULL); resp_searchform(req); resp_show(req, sub); |