From: Matt Caswell Date: Fri, 18 Oct 2019 15:40:44 +0000 (+0100) Subject: Fix an s_server arbitrary file read issue on Windows X-Git-Tag: openssl-3.0.0-alpha1~1076 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=0a4d6c67480a4d2fce514e08d3efe571f2ee99c9;p=oweals%2Fopenssl.git Fix an s_server arbitrary file read issue on Windows Running s_server in WWW mode on Windows can allow a client to read files outside the s_server directory by including backslashes in the name, e.g. GET /..\myfile.txt HTTP/1.0 There exists a check for this for Unix paths but it is not sufficient for Windows. Since s_server is a test tool no CVE is assigned. Thanks to Jobert Abma for reporting this. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/10215) --- diff --git a/apps/s_server.c b/apps/s_server.c index 0380468080..5f58ef68fe 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -3211,6 +3211,12 @@ static int www_body(int s, int stype, int prot, unsigned char *context) if (e[0] == ' ') break; + if (e[0] == ':') { + /* Windows drive. We treat this the same way as ".." */ + dot = -1; + break; + } + switch (dot) { case 1: dot = (e[0] == '.') ? 2 : 0; @@ -3219,11 +3225,11 @@ static int www_body(int s, int stype, int prot, unsigned char *context) dot = (e[0] == '.') ? 3 : 0; break; case 3: - dot = (e[0] == '/') ? -1 : 0; + dot = (e[0] == '/' || e[0] == '\\') ? -1 : 0; break; } if (dot == 0) - dot = (e[0] == '/') ? 1 : 0; + dot = (e[0] == '/' || e[0] == '\\') ? 1 : 0; } dot = (dot == 3) || (dot == -1); /* filename contains ".." * component */ @@ -3237,11 +3243,11 @@ static int www_body(int s, int stype, int prot, unsigned char *context) if (dot) { BIO_puts(io, text); - BIO_printf(io, "'%s' contains '..' reference\r\n", p); + BIO_printf(io, "'%s' contains '..' or ':'\r\n", p); break; } - if (*p == '/') { + if (*p == '/' || *p == '\\') { BIO_puts(io, text); BIO_printf(io, "'%s' is an invalid path\r\n", p); break;