1.20b - URL parser now accounts for its own \.\ injection pattern.
This commit is contained in:
parent
75e1b5ddd5
commit
00dcafb61c
|
@ -1,3 +1,8 @@
|
|||
Version 1.20b:
|
||||
--------------
|
||||
|
||||
- URL parser now accounts for its own \.\ injection pattern.
|
||||
|
||||
Version 1.19b:
|
||||
--------------
|
||||
|
||||
|
|
12
analysis.c
12
analysis.c
|
@ -2270,13 +2270,15 @@ static void check_for_stuff(struct http_request* req,
|
|||
inl_strcasestr(sniffbuf, (u8*)"\nOptions Follow") ||
|
||||
inl_strcasestr(sniffbuf, (u8*)"\nOptions In") ||
|
||||
inl_strcasestr(sniffbuf, (u8*)"\nOptions Mult") ||
|
||||
inl_strcasestr(sniffbuf, (u8*)"\nOptions Sym"))) ||
|
||||
inl_strcasestr(sniffbuf, (u8*)"\nOptions Sym"))
|
||||
) ||
|
||||
inl_strcasestr(sniffbuf, (u8*)"\n<Directory ") ||
|
||||
(inl_strcasestr(sniffbuf, (u8*)"\nRequire ") && (
|
||||
inl_strcasestr(sniffbuf, (u8*)"\nRequire valid") ||
|
||||
inl_strcasestr(sniffbuf, (u8*)"\nRequire user") ||
|
||||
inl_strcasestr(sniffbuf, (u8*)"\nRequire group") ||
|
||||
inl_strcasestr(sniffbuf, (u8*)"\nRequire file")))) {
|
||||
inl_strcasestr(sniffbuf, (u8*)"\nRequire valid") ||
|
||||
inl_strcasestr(sniffbuf, (u8*)"\nRequire user") ||
|
||||
inl_strcasestr(sniffbuf, (u8*)"\nRequire group") ||
|
||||
inl_strcasestr(sniffbuf, (u8*)"\nRequire file"))
|
||||
)) {
|
||||
problem(PROB_FILE_POI, req, res, (u8*)"Apache config file", req->pivot, 0);
|
||||
return;
|
||||
}
|
||||
|
|
2
config.h
2
config.h
|
@ -23,7 +23,7 @@
|
|||
#ifndef _HAVE_CONFIG_H
|
||||
#define _HAVE_CONFIG_H
|
||||
|
||||
#define VERSION "1.19b"
|
||||
#define VERSION "1.20b"
|
||||
|
||||
#define USE_COLOR 1 /* Use terminal colors */
|
||||
|
||||
|
|
|
@ -474,6 +474,7 @@ void tokenize_path(u8* str, struct http_request* req, u8 add_slash) {
|
|||
u8 *name = NULL, *value = NULL;
|
||||
u8 first_el = (str == cur);
|
||||
|
||||
|
||||
if (first_el || *cur == '/') {
|
||||
|
||||
/* Optimize out //, /\0, /./, and /.\0. They do indicate
|
||||
|
@ -492,6 +493,20 @@ void tokenize_path(u8* str, struct http_request* req, u8 add_slash) {
|
|||
continue;
|
||||
}
|
||||
|
||||
/* Also optimize out our own \.\ prefix injected in directory
|
||||
probes. This is to avoid recursion if it actually worked in some
|
||||
way. */
|
||||
|
||||
if (!strncmp((char*)cur, "\\.\\", 3)) {
|
||||
cur += 3;
|
||||
continue;
|
||||
}
|
||||
|
||||
if (!strncasecmp((char*)cur, "%5c.%5c", 7)) {
|
||||
cur += 7;
|
||||
continue;
|
||||
}
|
||||
|
||||
/* If we encountered /../ or /..\0, remove everything up to and
|
||||
including the last "true" path element. It's also indicative
|
||||
of a directory, by the way. */
|
||||
|
|
Loading…
Reference in New Issue