diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2018-08-03 15:46:11 +0200 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2018-08-03 17:04:03 +0200 |
commit | 53efaf30b50f095cad8c160488c74bba3e3b2680 (patch) | |
tree | 48c0be88bfef03400ddd4b3871baf9de9dbe0b77 | |
parent | config: record repo.snapshot-prefix in the per-repo config (diff) | |
download | cgit-pink-53efaf30b50f095cad8c160488c74bba3e3b2680.tar.gz cgit-pink-53efaf30b50f095cad8c160488c74bba3e3b2680.zip |
clone: fix directory traversal
This was introduced in the initial version of this code, way back when in 2008. $ curl http://127.0.0.1/cgit/repo/objects/?path=../../../../../../../../../etc/passwd root:x:0:0:root:/root:/bin/sh ... Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Reported-by: Jann Horn <jannh@google.com>
-rw-r--r-- | ui-clone.c | 23 |
1 files changed, 19 insertions, 4 deletions
diff --git a/ui-clone.c b/ui-clone.c index 2c1ac3d..6ba8f36 100644 --- a/ui-clone.c +++ b/ui-clone.c @@ -92,17 +92,32 @@ void cgit_clone_info(void) void cgit_clone_objects(void) { - if (!ctx.qry.path) { - cgit_print_error_page(400, "Bad request", "Bad request"); - return; - } + char *p; + + if (!ctx.qry.path) + goto err; if (!strcmp(ctx.qry.path, "info/packs")) { print_pack_info(); return; } + /* Avoid directory traversal by forbidding "..", but also work around + * other funny business by just specifying a fairly strict format. For + * example, now we don't have to stress out about the Cygwin port. + */ + for (p = ctx.qry.path; *p; ++p) { + if (*p == '.' && *(p + 1) == '.') + goto err; + if (!isalnum(*p) && *p != '/' && *p != '.' && *p != '-') + goto err; + } + send_file(git_path("objects/%s", ctx.qry.path)); + return; + +err: + cgit_print_error_page(400, "Bad request", "Bad request"); } void cgit_clone_head(void) |