forked from lda/telodendria
Prevent directory traversals by replacing dots and slashes.
This commit is contained in:
parent
de6a857ce7
commit
cc6ae2dbd3
2 changed files with 26 additions and 2 deletions
|
@ -68,6 +68,10 @@ would occur in some edge cases.
|
|||
.It
|
||||
Fixed an "off-by-one" error in the HTTP server request
|
||||
parser that prevented GET parameters from being parsed.
|
||||
.It
|
||||
Fixed the database file name generator to prevent directory
|
||||
traversal attacks by replacing characters with special meaning
|
||||
with safer characters.
|
||||
.El
|
||||
.Pp
|
||||
Misc.:
|
||||
|
|
24
src/Db.c
24
src/Db.c
|
@ -208,10 +208,30 @@ DbFileName(Db * db, Array * args)
|
|||
for (i = 0; i < ArraySize(args); i++)
|
||||
{
|
||||
char *tmp, *tmp2;
|
||||
char *arg = UtilStringDuplicate(ArrayGet(args, i));
|
||||
|
||||
tmp = UtilStringConcat(str, ArrayGet(args, i));
|
||||
tmp2 = UtilStringConcat(tmp, (i < ArraySize(args) - 1) ? "/" : ".json");
|
||||
/* Sanitize name to prevent directory traversal attacks */
|
||||
while (*arg)
|
||||
{
|
||||
switch (*arg)
|
||||
{
|
||||
case '/':
|
||||
*arg = '_';
|
||||
break;
|
||||
case '.':
|
||||
*arg = '-';
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
arg++;
|
||||
}
|
||||
|
||||
tmp = UtilStringConcat(str, arg);
|
||||
tmp2 = UtilStringConcat(tmp,
|
||||
(i < ArraySize(args) - 1) ? "/" : ".json");
|
||||
|
||||
Free(arg);
|
||||
Free(str);
|
||||
Free(tmp);
|
||||
|
||||
|
|
Loading…
Reference in a new issue