clone: fix directory traversal

This was introduced in the initial version of this code, way back when
in 2008.

$ curl http://127.0.0.1/cgit/repo/objects/?path=../../../../../../../../../etc/passwd
root0:0:root:/root:/bin/sh
...

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reported-by: Jann Horn <jannh@google.com>
This commit is contained in:
Jason A. Donenfeld 2018-08-03 15:46:11 +02:00
bovenliggende c679d90104
commit 53efaf30b5

Bestand weergeven

@ -92,17 +92,32 @@ void cgit_clone_info(void)
void cgit_clone_objects(void)
{
if (!ctx.qry.path) {
cgit_print_error_page(400, "Bad request", "Bad request");
return;
}
char *p;
if (!ctx.qry.path)
goto err;
if (!strcmp(ctx.qry.path, "info/packs")) {
print_pack_info();
return;
}
/* Avoid directory traversal by forbidding "..", but also work around
* other funny business by just specifying a fairly strict format. For
* example, now we don't have to stress out about the Cygwin port.
*/
for (p = ctx.qry.path; *p; ++p) {
if (*p == '.' && *(p + 1) == '.')
goto err;
if (!isalnum(*p) && *p != '/' && *p != '.' && *p != '-')
goto err;
}
send_file(git_path("objects/%s", ctx.qry.path));
return;
err:
cgit_print_error_page(400, "Bad request", "Bad request");
}
void cgit_clone_head(void)