1.20b - URL parser now accounts for its own \.\ injection pattern.

2010-03-25 00:27:38 -04:00 · 2010-03-25 00:27:38 -04:00 · 00dcafb61c
parent 75e1b5ddd5
commit 00dcafb61c
4 changed files with 28 additions and 6 deletions
--- a/5
+++ b/5
@ -1,3 +1,8 @@
+Version 1.20b:
+--------------
+
+  - URL parser now accounts for its own \.\ injection pattern.
+
 Version 1.19b:
 --------------

--- a/analysis.c
+++ b/analysis.c
@ -2270,13 +2270,15 @@ static void check_for_stuff(struct http_request* req,
        inl_strcasestr(sniffbuf, (u8*)"\nOptions Follow") ||
        inl_strcasestr(sniffbuf, (u8*)"\nOptions In") ||
        inl_strcasestr(sniffbuf, (u8*)"\nOptions Mult") ||
-        inl_strcasestr(sniffbuf, (u8*)"\nOptions Sym"))) ||
+        inl_strcasestr(sniffbuf, (u8*)"\nOptions Sym"))
+      ) ||
      inl_strcasestr(sniffbuf, (u8*)"\n<Directory ") ||
      (inl_strcasestr(sniffbuf, (u8*)"\nRequire ") && (
-      inl_strcasestr(sniffbuf, (u8*)"\nRequire valid") ||
-      inl_strcasestr(sniffbuf, (u8*)"\nRequire user") ||
-      inl_strcasestr(sniffbuf, (u8*)"\nRequire group") ||
-      inl_strcasestr(sniffbuf, (u8*)"\nRequire file")))) {
+        inl_strcasestr(sniffbuf, (u8*)"\nRequire valid") ||
+        inl_strcasestr(sniffbuf, (u8*)"\nRequire user") ||
+        inl_strcasestr(sniffbuf, (u8*)"\nRequire group") ||
+        inl_strcasestr(sniffbuf, (u8*)"\nRequire file"))
+      )) {
    problem(PROB_FILE_POI, req, res, (u8*)"Apache config file", req->pivot, 0);
    return;
  }
--- a/config.h
+++ b/config.h
@ -23,7 +23,7 @@
 #ifndef _HAVE_CONFIG_H
 #define _HAVE_CONFIG_H

-#define VERSION "1.19b"
+#define VERSION "1.20b"

 #define USE_COLOR               1       /* Use terminal colors             */

--- a/http_client.c
+++ b/http_client.c
@ -474,6 +474,7 @@ void tokenize_path(u8* str, struct http_request* req, u8 add_slash) {
    u8 *name = NULL, *value = NULL;
    u8 first_el = (str == cur);

+
    if (first_el || *cur == '/') {

      /* Optimize out //, /\0, /./, and /.\0. They do indicate
@ -492,6 +493,20 @@ void tokenize_path(u8* str, struct http_request* req, u8 add_slash) {
        continue;
      }

+      /* Also optimize out our own \.\ prefix injected in directory
+         probes. This is to avoid recursion if it actually worked in some
+         way. */
+
+      if (!strncmp((char*)cur, "\\.\\", 3)) {
+        cur += 3;
+        continue;
+      }
+
+      if (!strncasecmp((char*)cur, "%5c.%5c", 7)) {
+        cur += 7;
+        continue;
+      }
+
      /* If we encountered /../ or /..\0, remove everything up to and
         including the last "true" path element. It's also indicative
         of a directory, by the way. */