From 234f61a74e7ba4be512026d67d4ec9975b80632c Mon Sep 17 00:00:00 2001 From: Alex Dowad Date: Thu, 10 Apr 2014 22:08:00 +0200 Subject: squark-filter: correctly identify URLs which use .. Previously squark-filter could be tricked into passing forbidden URLs by using /../ in the path. This bug resulted from confusion about which way to shrink/grow "blob" buffers in when canonicalizing URLs. --- src/blob.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'src/blob.c') diff --git a/src/blob.c b/src/blob.c index 196adf9..41e8d75 100644 --- a/src/blob.c +++ b/src/blob.c @@ -277,7 +277,8 @@ void blob_push_urldecode(blob_t *to, blob_t url) /* skip '.' or two consecutive / */ } else if (blob_cmp(b, BLOB_STR("..")) == 0) { /* go up one path component */ - blob_shrink_tail(to, blob_pushed(orig, b), '/'); + blob_expand_head(to, orig, '/'); + blob_expand_head_bytes(to, 1); /* back up past the '/' separator */ } else { /* copy decoded; FIXME decode percent encoding */ blob_push_byte(to, '/'); @@ -410,6 +411,12 @@ blob_t blob_expand_head(blob_t *b, blob_t limits, unsigned char sep) return r; } +void blob_expand_head_bytes(blob_t *b, int bytes) +{ + b->ptr -= bytes; + b->len += bytes; +} + blob_t blob_expand_tail(blob_t *b, blob_t limits, unsigned char sep) { blob_t t = *b; -- cgit v1.2.3