From 536be0214f03cebddb5fda22ce4001972bea2b0a Mon Sep 17 00:00:00 2001 From: Lammert Bies Date: Sun, 11 Dec 2016 12:09:08 +0100 Subject: [PATCH] Moved remove_double_dots to own file --- Makefile | 1 + src/httplib_remove_double_dots.c | 54 ++++++++++++++++++++++++++++++++ src/libhttp.c | 26 --------------- 3 files changed, 55 insertions(+), 26 deletions(-) create mode 100644 src/httplib_remove_double_dots.c diff --git a/Makefile b/Makefile index b96c868d..7bdad458 100644 --- a/Makefile +++ b/Makefile @@ -121,6 +121,7 @@ LIB_SOURCES = src/libhttp.c \ src/httplib_refresh_trust.c \ src/httplib_remove_bad_file.c \ src/httplib_remove_directory.c \ + src/httplib_remove_double_dots.c \ src/httplib_reset_per_request_attributes.c \ src/httplib_scan_directory.c \ src/httplib_send_authorization_request.c \ diff --git a/src/httplib_remove_double_dots.c b/src/httplib_remove_double_dots.c new file mode 100644 index 00000000..4911cbd1 --- /dev/null +++ b/src/httplib_remove_double_dots.c @@ -0,0 +1,54 @@ +/* + * Copyright (c) 2016 Lammert Bies + * Copyright (c) 2013-2016 the Civetweb developers + * Copyright (c) 2004-2013 Sergey Lyubka + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + + + +#include "libhttp-private.h" + + + +/* Protect against directory disclosure attack by removing '..', + * excessive '/' and '\' characters */ +void XX_httplib_remove_double_dots_and_double_slashes( char *s ) { + + char *p = s; + + while ((s[0] == '.') && (s[1] == '.')) s++; + + while (*s != '\0') { + *p++ = *s++; + if (s[-1] == '/' || s[-1] == '\\') { + /* Skip all following slashes, backslashes and double-dots */ + while (s[0] != '\0') { + if (s[0] == '/' || s[0] == '\\') { + s++; + } else if (s[0] == '.' && s[1] == '.') { + s += 2; + } else break; + } + } + } + *p = '\0'; + +} /* XX_httplib_remove_double_dots_and_double_slashes */ diff --git a/src/libhttp.c b/src/libhttp.c index 309aef05..2b0a9095 100644 --- a/src/libhttp.c +++ b/src/libhttp.c @@ -3604,29 +3604,3 @@ time_t XX_httplib_parse_date_string( const char *datetime ) { } /* XX_httplib_parse_date_string */ #endif /* !NO_CACHING */ - - -/* Protect against directory disclosure attack by removing '..', - * excessive '/' and '\' characters */ -void XX_httplib_remove_double_dots_and_double_slashes( char *s ) { - - char *p = s; - - while ((s[0] == '.') && (s[1] == '.')) s++; - - while (*s != '\0') { - *p++ = *s++; - if (s[-1] == '/' || s[-1] == '\\') { - /* Skip all following slashes, backslashes and double-dots */ - while (s[0] != '\0') { - if (s[0] == '/' || s[0] == '\\') { - s++; - } else if (s[0] == '.' && s[1] == '.') { - s += 2; - } else break; - } - } - } - *p = '\0'; - -} /* XX_httplib_remove_double_dots_and_double_slashes */