forked from lda/telodendria
Prevent directory traversals by replacing dots and slashes.
This commit is contained in:
parent
de6a857ce7
commit
cc6ae2dbd3
2 changed files with 26 additions and 2 deletions
|
@ -68,6 +68,10 @@ would occur in some edge cases.
|
||||||
.It
|
.It
|
||||||
Fixed an "off-by-one" error in the HTTP server request
|
Fixed an "off-by-one" error in the HTTP server request
|
||||||
parser that prevented GET parameters from being parsed.
|
parser that prevented GET parameters from being parsed.
|
||||||
|
.It
|
||||||
|
Fixed the database file name generator to prevent directory
|
||||||
|
traversal attacks by replacing characters with special meaning
|
||||||
|
with safer characters.
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
Misc.:
|
Misc.:
|
||||||
|
|
24
src/Db.c
24
src/Db.c
|
@ -208,10 +208,30 @@ DbFileName(Db * db, Array * args)
|
||||||
for (i = 0; i < ArraySize(args); i++)
|
for (i = 0; i < ArraySize(args); i++)
|
||||||
{
|
{
|
||||||
char *tmp, *tmp2;
|
char *tmp, *tmp2;
|
||||||
|
char *arg = UtilStringDuplicate(ArrayGet(args, i));
|
||||||
|
|
||||||
tmp = UtilStringConcat(str, ArrayGet(args, i));
|
/* Sanitize name to prevent directory traversal attacks */
|
||||||
tmp2 = UtilStringConcat(tmp, (i < ArraySize(args) - 1) ? "/" : ".json");
|
while (*arg)
|
||||||
|
{
|
||||||
|
switch (*arg)
|
||||||
|
{
|
||||||
|
case '/':
|
||||||
|
*arg = '_';
|
||||||
|
break;
|
||||||
|
case '.':
|
||||||
|
*arg = '-';
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
arg++;
|
||||||
|
}
|
||||||
|
|
||||||
|
tmp = UtilStringConcat(str, arg);
|
||||||
|
tmp2 = UtilStringConcat(tmp,
|
||||||
|
(i < ArraySize(args) - 1) ? "/" : ".json");
|
||||||
|
|
||||||
|
Free(arg);
|
||||||
Free(str);
|
Free(str);
|
||||||
Free(tmp);
|
Free(tmp);
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue