Fix an s_server arbitrary file read issue on Windows

Running s_server in WWW mode on Windows can allow a client to read files outside the s_server directory by including backslashes in the name, e.g. GET /..\myfile.txt HTTP/1.0 There exists a check for this for Unix paths but it is not sufficient for Windows. Since s_server is a test tool no CVE is assigned. Thanks to Jobert Abma for reporting this. Reviewed-by: N Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10215) (cherry picked from commit 0a4d6c67480a4d2fce514e08d3efe571f2ee99c9)

Fix an s_server arbitrary file read issue on Windows
Running s_server in WWW mode on Windows can allow a client to read files outside the s_server directory by including backslashes in the name, e.g. GET /..\myfile.txt HTTP/1.0 There exists a check for this for Unix paths but it is not sufficient for Windows. Since s_server is a test tool no CVE is assigned. Thanks to Jobert Abma for reporting this. Reviewed-by: N Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10215) (cherry picked from commit 0a4d6c67480a4d2fce514e08d3efe571f2ee99c9)
325c9ac1 · Matt Caswell · 3a9080d6 · 325c9ac1
隐藏空白更改
内联并排

Showing with 10 addition and 4 deletion

apps/s_server.c apps/s_server.c +10 -4

未找到文件。
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -3205,6 +3205,12 @@ static int www_body(int s, int stype, int prot, unsigned char *context)
                if (e[0] == ' ')
                    break;

+                if (e[0] == ':') {
+                    /* Windows drive. We treat this the same way as ".." */
+                    dot = -1;
+                    break;
+                }
+
                switch (dot) {
                case 1:
                    dot = (e[0] == '.') ? 2 : 0;
@@ -3213,11 +3219,11 @@ static int www_body(int s, int stype, int prot, unsigned char *context)
                    dot = (e[0] == '.') ? 3 : 0;
                    break;
                case 3:
-                    dot = (e[0] == '/') ? -1 : 0;
+                    dot = (e[0] == '/' || e[0] == '\\') ? -1 : 0;
                    break;
                }
                if (dot == 0)
-                    dot = (e[0] == '/') ? 1 : 0;
+                    dot = (e[0] == '/' || e[0] == '\\') ? 1 : 0;
            }
            dot = (dot == 3) || (dot == -1); /* filename contains ".."
                                              * component */
@@ -3231,11 +3237,11 @@ static int www_body(int s, int stype, int prot, unsigned char *context)

            if (dot) {
                BIO_puts(io, text);
-                BIO_printf(io, "'%s' contains '..' reference\r\n", p);
+                BIO_printf(io, "'%s' contains '..' or ':'\r\n", p);
                break;
            }

-            if (*p == '/') {
+            if (*p == '/' || *p == '\\') {
                BIO_puts(io, text);
                BIO_printf(io, "'%s' is an invalid path\r\n", p);
                break;