Skip to content
Snippets Groups Projects
Commit 59a5c5c2 authored by Tobias S. Josefowitz's avatar Tobias S. Josefowitz
Browse files

Tools.Standalone.httpserver: Fix directory traversal vulnerability 

Thanks to Chris Angelico <rosuav@gmail.com> for the report.
parent dd167fae
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
lib/modules/Tools.pmod/Standalone.pmod/httpserver.pike
+ 9
5
View file @ 59a5c5c2
...@@ -15,6 +15,8 @@ constant version = sprintf(#"Pike httpserver %d.%d.%d ...@@ -15,6 +15,8 @@ constant version = sprintf(#"Pike httpserver %d.%d.%d
constant description = "Minimal HTTP-server."; constant description = "Minimal HTTP-server.";
string cwd;
int main(int argc, array(string) argv) int main(int argc, array(string) argv)
{ {
int my_port = 8080; int my_port = 8080;
...@@ -28,13 +30,14 @@ int main(int argc, array(string) argv) ...@@ -28,13 +30,14 @@ int main(int argc, array(string) argv)
default: default:
my_port=(int)argv[-1]; my_port=(int)argv[-1];
} }
cwd = getcwd();
Protocols.HTTP.Server.Port(handle_request, my_port); Protocols.HTTP.Server.Port(handle_request, my_port);
write("%s is now accessible on port %d through http, " write("%s is now accessible on port %d through http, "
"without password.\n", getcwd(), my_port); "without password.\n", getcwd(), my_port);
return -1; return -1;
} }
string dirlist( string dir ) string dirlist( string dir, string rel_dir )
{ {
string res = string res =
"<html><head>\n" "<html><head>\n"
...@@ -43,7 +46,7 @@ string dirlist( string dir ) ...@@ -43,7 +46,7 @@ string dirlist( string dir )
".even { background-color:#fefefe; }\n" ".even { background-color:#fefefe; }\n"
"</style>\n" "</style>\n"
"</head><body>\n" "</head><body>\n"
"<h1>"+Parser.encode_html_entities(dir[2..])+"</h1>" "<h1>"+Parser.encode_html_entities(rel_dir)+"</h1>"
"<table cellspacing='0' cellpadding='2'>\n" "<table cellspacing='0' cellpadding='2'>\n"
"<tr><th align='left'>Filename</th>" "<tr><th align='left'>Filename</th>"
"<th align='right'>Type</th>" "<th align='right'>Type</th>"
...@@ -81,8 +84,9 @@ string file_not_found(string fname) ...@@ -81,8 +84,9 @@ string file_not_found(string fname)
void handle_request(Protocols.HTTP.Server.Request request) void handle_request(Protocols.HTTP.Server.Request request)
{ {
string file = "."+combine_path("/",request->not_query); string file = Protocols.HTTP.uri_decode(request->not_query);
file = Protocols.HTTP.uri_decode(file); string rel_file = combine_path_unix("/", file)[1..];
file = combine_path(cwd, rel_file);
Stdio.Stat s = file_stat( file ); Stdio.Stat s = file_stat( file );
if( !s ) if( !s )
request->response_and_finish( (["data": request->response_and_finish( (["data":
...@@ -90,7 +94,7 @@ void handle_request(Protocols.HTTP.Server.Request request) ...@@ -90,7 +94,7 @@ void handle_request(Protocols.HTTP.Server.Request request)
"type":"text/html", "type":"text/html",
"error":404]) ); "error":404]) );
else if( s->isdir ) else if( s->isdir )
request->response_and_finish( ([ "data":dirlist(file), request->response_and_finish( ([ "data":dirlist(file, rel_file),
"type":"text/html" ]) ); "type":"text/html" ]) );
else else
request->response_and_finish( ([ "file":Stdio.File(file), request->response_and_finish( ([ "file":Stdio.File(file),
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment