diff options
| author | Alex Dowad <alexinbeijing@gmail.com> | 2014-04-10 22:08:00 +0200 |
|---|---|---|
| committer | Timo Teräs <timo.teras@iki.fi> | 2014-04-25 10:18:11 +0300 |
| commit | 234f61a74e7ba4be512026d67d4ec9975b80632c (patch) | |
| tree | fb2e323e08dff1fba6e1aacf29c00905c31278e3 | |
| parent | b7eac294771a72711208d288657a5667d65e8882 (diff) | |
| download | squark-234f61a74e7ba4be512026d67d4ec9975b80632c.tar.bz2 squark-234f61a74e7ba4be512026d67d4ec9975b80632c.tar.xz | |
squark-filter: correctly identify URLs which use ..
Previously squark-filter could be tricked into passing forbidden URLs
by using /../ in the path. This bug resulted from confusion about which
way to shrink/grow "blob" buffers in when canonicalizing URLs.
| -rw-r--r-- | src/blob.c | 9 | ||||
| -rw-r--r-- | src/blob.h | 1 |
2 files changed, 9 insertions, 1 deletions
@@ -277,7 +277,8 @@ void blob_push_urldecode(blob_t *to, blob_t url) /* skip '.' or two consecutive / */ } else if (blob_cmp(b, BLOB_STR("..")) == 0) { /* go up one path component */ - blob_shrink_tail(to, blob_pushed(orig, b), '/'); + blob_expand_head(to, orig, '/'); + blob_expand_head_bytes(to, 1); /* back up past the '/' separator */ } else { /* copy decoded; FIXME decode percent encoding */ blob_push_byte(to, '/'); @@ -410,6 +411,12 @@ blob_t blob_expand_head(blob_t *b, blob_t limits, unsigned char sep) return r; } +void blob_expand_head_bytes(blob_t *b, int bytes) +{ + b->ptr -= bytes; + b->len += bytes; +} + blob_t blob_expand_tail(blob_t *b, blob_t limits, unsigned char sep) { blob_t t = *b; @@ -65,5 +65,6 @@ int blob_pull_inet_addr(blob_t *b, struct in_addr *saddr); blob_t blob_expand_head(blob_t *b, blob_t limits, unsigned char sep); blob_t blob_expand_tail(blob_t *b, blob_t limits, unsigned char sep); blob_t blob_shrink_tail(blob_t *b, blob_t limits, unsigned char sep); +void blob_expand_head_bytes(blob_t *b, int bytes); #endif |