Fix an s_server arbitrary file read issue on Windows
authorMatt Caswell <matt@openssl.org>
Fri, 18 Oct 2019 15:40:44 +0000 (16:40 +0100)
committerMatt Caswell <matt@openssl.org>
Mon, 28 Oct 2019 13:11:15 +0000 (13:11 +0000)
commit0a4d6c67480a4d2fce514e08d3efe571f2ee99c9
treee67043137d9872989cdf21ce65f68f803d6f1e0e
parentc549cb46e0d3cb4e611acafae5f919b4a8df4007
Fix an s_server arbitrary file read issue on Windows

Running s_server in WWW mode on Windows can allow a client to read files
outside the s_server directory by including backslashes in the name, e.g.

GET /..\myfile.txt HTTP/1.0

There exists a check for this for Unix paths but it is not sufficient
for Windows.

Since s_server is a test tool no CVE is assigned.

Thanks to Jobert Abma for reporting this.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10215)
apps/s_server.c