Fix an s_server arbitrary file read issue on Windows
authorMatt Caswell <matt@openssl.org>
Fri, 18 Oct 2019 15:40:44 +0000 (16:40 +0100)
committerMatt Caswell <matt@openssl.org>
Mon, 28 Oct 2019 13:15:52 +0000 (13:15 +0000)
commit325c9ac198c822ca634a12d3856341c5044c66d0
tree57e831692c6c38e6e617a977a3cbd3cc3980be95
parent3a9080d6f486c270457b9f2b0da15d2702539f98
Fix an s_server arbitrary file read issue on Windows

Running s_server in WWW mode on Windows can allow a client to read files
outside the s_server directory by including backslashes in the name, e.g.

GET /..\myfile.txt HTTP/1.0

There exists a check for this for Unix paths but it is not sufficient
for Windows.

Since s_server is a test tool no CVE is assigned.

Thanks to Jobert Abma for reporting this.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10215)

(cherry picked from commit 0a4d6c67480a4d2fce514e08d3efe571f2ee99c9)
apps/s_server.c