From: schwarze Date: Sat, 19 Jul 2014 11:35:09 +0000 (+0000) Subject: Security fix: X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=8147578414af9663e24289e895fc689a48a1de06;p=openbsd Security fix: Validate the name of the file to show before opening it. Only allow relative filenames starting with "man" or "cat" and containing neither "/.." nor "../". While here, correct the condition discarding an initial "./". Vulnerability found by Sebastien Marie . Many thanks for sending a patch; however, i did not use it but made the checks even stricter. --- diff --git a/usr.bin/mandoc/cgi.c b/usr.bin/mandoc/cgi.c index bfe8b605c0a..bf175c8e4b9 100644 --- a/usr.bin/mandoc/cgi.c +++ b/usr.bin/mandoc/cgi.c @@ -1,4 +1,4 @@ -/* $Id: cgi.c,v 1.15 2014/07/18 19:02:07 schwarze Exp $ */ +/* $Id: cgi.c,v 1.16 2014/07/19 11:35:09 schwarze Exp $ */ /* * Copyright (c) 2011, 2012 Kristaps Dzonsons * Copyright (c) 2014 Ingo Schwarze @@ -462,6 +462,17 @@ resp_searchform(const struct req *req) puts(""); } +static int +validate_filename(const char *file) +{ + + if ('.' == file[0] && '/' == file[1]) + file += 2; + + return ( ! (strstr(file, "../") || strstr(file, "/..") || + (strncmp(file, "man", 3) && strncmp(file, "cat", 3)))); +} + static void pg_index(const struct req *req) { @@ -519,6 +530,15 @@ pg_searchres(const struct req *req, struct manpage *r, size_t sz) int prio, priouse; char sec; + for (i = 0; i < sz; i++) { + if (validate_filename(r[i].file)) + continue; + fprintf(stderr, "invalid filename %s in %s database\n", + r[i].file, req->q.manpath); + pg_error_internal(); + return; + } + if (1 == sz) { /* * If we have just one result, then jump there now @@ -773,7 +793,8 @@ format(const struct req *req, const char *file) static void resp_show(const struct req *req, const char *file) { - if ('.' == file[0] || '/' == file[1]) + + if ('.' == file[0] && '/' == file[1]) file += 2; if ('c' == *file) @@ -806,6 +827,12 @@ pg_show(const struct req *req, const char *path) return; } + if ( ! validate_filename(sub)) { + pg_error_badrequest( + "You specified an invalid manual file."); + return; + } + resp_begin_html(200, NULL); resp_searchform(req); resp_show(req, sub);