plate/telodendria
1
0
Fork 0
forked from lda/telodendria
Code Pull requests Activity Actions

Prevent directory traversals by replacing dots and slashes.

Browse source
This commit is contained in:
Jordan Bancino 2022-12-15 16:07:45 +00:00
parent de6a857ce7
commit cc6ae2dbd3
2 changed files with 26 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
man/man7/telodendria-changelog.7
View file

@ -68,6 +68,10 @@ would occur in some edge cases.
.It .It
Fixed an "off-by-one" error in the HTTP server request Fixed an "off-by-one" error in the HTTP server request
parser that prevented GET parameters from being parsed. parser that prevented GET parameters from being parsed.
.It
Fixed the database file name generator to prevent directory
traversal attacks by replacing characters with special meaning
with safer characters.
.El .El
.Pp .Pp
Misc.: Misc.:

24
src/Db.c
View file

@ -208,10 +208,30 @@ DbFileName(Db * db, Array * args)
for (i = 0; i < ArraySize(args); i++) for (i = 0; i < ArraySize(args); i++)
{ {
char *tmp, *tmp2; char *tmp, *tmp2;
char *arg = UtilStringDuplicate(ArrayGet(args, i));
tmp = UtilStringConcat(str, ArrayGet(args, i)); /* Sanitize name to prevent directory traversal attacks */
tmp2 = UtilStringConcat(tmp, (i < ArraySize(args) - 1) ? "/" : ".json"); while (*arg)
{
switch (*arg)
{
case '/':
*arg = '_';
break;
case '.':
*arg = '-';
break;
default:
break;
}
arg++;
}
tmp = UtilStringConcat(str, arg);
tmp2 = UtilStringConcat(tmp,
(i < ArraySize(args) - 1) ? "/" : ".json");
Free(arg);
Free(str); Free(str);
Free(tmp); Free(tmp);