Prevent directory traversals by replacing dots and slashes.

This commit is contained in:
Jordan Bancino 2022-12-15 16:07:45 +00:00
parent de6a857ce7
commit cc6ae2dbd3
2 changed files with 26 additions and 2 deletions

View file

@ -68,6 +68,10 @@ would occur in some edge cases.
.It
Fixed an "off-by-one" error in the HTTP server request
parser that prevented GET parameters from being parsed.
.It
Fixed the database file name generator to prevent directory
traversal attacks by replacing characters with special meaning
with safer characters.
.El
.Pp
Misc.:

View file

@ -208,10 +208,30 @@ DbFileName(Db * db, Array * args)
for (i = 0; i < ArraySize(args); i++)
{
char *tmp, *tmp2;
char *arg = UtilStringDuplicate(ArrayGet(args, i));
tmp = UtilStringConcat(str, ArrayGet(args, i));
tmp2 = UtilStringConcat(tmp, (i < ArraySize(args) - 1) ? "/" : ".json");
/* Sanitize name to prevent directory traversal attacks */
while (*arg)
{
switch (*arg)
{
case '/':
*arg = '_';
break;
case '.':
*arg = '-';
break;
default:
break;
}
arg++;
}
tmp = UtilStringConcat(str, arg);
tmp2 = UtilStringConcat(tmp,
(i < ArraySize(args) - 1) ? "/" : ".json");
Free(arg);
Free(str);
Free(tmp);