crtxcr/cgitsb
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

clone: fix directory traversal

Browse Source 
This was introduced in the initial version of this code, way back when
in 2008.

$ curl http://127.0.0.1/cgit/repo/objects/?path=../../../../../../../../../etc/passwd
root0:0:root:/root:/bin/sh
...

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reported-by: Jann Horn <jannh@google.com>
This commit is contained in:
Jason A. Donenfeld 2018-08-03 15:46:11 +02:00
parent c679d90104
commit 53efaf30b5
1 changed files with 19 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
ui-clone.c
View File

@ -92,17 +92,32 @@ void cgit_clone_info(void)
void cgit_clone_objects(void) void cgit_clone_objects(void)
{ {
if (!ctx.qry.path) { char *p;
cgit_print_error_page(400, "Bad request", "Bad request");
return; if (!ctx.qry.path)
} goto err;
if (!strcmp(ctx.qry.path, "info/packs")) { if (!strcmp(ctx.qry.path, "info/packs")) {
print_pack_info(); print_pack_info();
return; return;
} }
/* Avoid directory traversal by forbidding "..", but also work around
* other funny business by just specifying a fairly strict format. For
* example, now we don't have to stress out about the Cygwin port.
*/
for (p = ctx.qry.path; *p; ++p) {
if (*p == '.' && *(p + 1) == '.')
goto err;
if (!isalnum(*p) && *p != '/' && *p != '.' && *p != '-')
goto err;
}
send_file(git_path("objects/%s", ctx.qry.path)); send_file(git_path("objects/%s", ctx.qry.path));
return;
err:
cgit_print_error_page(400, "Bad request", "Bad request");
} }
void cgit_clone_head(void) void cgit_clone_head(void)