uri parsing: improve dot-dot handling

https://github.com/warmcat/libwebsockets/issues/481 - don't treat .../ or ..dir/ like ../ - fix handling of GET /folder/../other/ Signed-off-by: Denis Osvald <denis.osvald@sartura.hr>
2025-03-16 00:00:07 +01:00 · 2016-04-04 15:38:15 +02:00 · 2016-04-04 15:38:15 +02:00 · 208d4e0b75
commit 208d4e0b75
parent 8b83266301
2 changed files with 21 additions and 10 deletions
--- a/lib/parsers.c
+++ b/lib/parsers.c
@ -653,20 +653,22 @@ lws_parse(struct lws *wsi, unsigned char c)
 		case URIPS_SEEN_SLASH_DOT:
 			/* swallow second . */
 			if (c == '.') {
+				/* stash pos in case /..dir */
+				wsi->u.hdr.slashdotdot_pos_stash = ah->pos;
 				/*
 				 * back up one dir level if possible
 				 * safe against header fragmentation because
 				 * the method URI can only be in 1 fragment
 				 */
 				if (ah->frags[ah->nfrag].len > 2) {
-					ah->pos--;
-					ah->frags[ah->nfrag].len--;
 					do {
 						ah->pos--;
 						ah->frags[ah->nfrag].len--;
 					} while (ah->frags[ah->nfrag].len > 1 &&
-						 ah->data[ah->pos] != '/');
+						 ah->data[ah->pos-1] != '/');
 				}
+				lwsl_parser("URIPS: ../ : backed up '%.*s'\n",
+						wsi->u.hdr.slashdotdot_pos_stash - ah->pos, ah->data + ah->pos);
 				wsi->u.hdr.ups = URIPS_SEEN_SLASH_DOT_DOT;
 				goto swallow;
 			}
@ -682,14 +684,22 @@ lws_parse(struct lws *wsi, unsigned char c)
 			break;

 		case URIPS_SEEN_SLASH_DOT_DOT:
-			/* swallow prior .. chars and any subsequent . */
-			if (c == '.')
+			/* back up one dir level */
+			if (c == '/') {
+				/* we kept last slash, mark it SEEN */
+				wsi->u.hdr.ups = URIPS_SEEN_SLASH;
 				goto swallow;
-			/* last issued was /, so another / == // */
-			if (c == '/')
-				goto swallow;
-			/* last we issued was / so SEEN_SLASH */
-			wsi->u.hdr.ups = URIPS_SEEN_SLASH;
+			}
+			/* it was like /..dir ... restore prev dir and regurgitate the .. */
+			lwsl_parser("URIPS: ../ : restore '%.*s'\n",
+					wsi->u.hdr.slashdotdot_pos_stash - ah->pos, ah->data + ah->pos);
+			ah->frags[ah->nfrag].len += wsi->u.hdr.slashdotdot_pos_stash - ah->pos;
+			ah->pos = wsi->u.hdr.slashdotdot_pos_stash;
+			if (issue_char(wsi, '.') < 0)
+				return -1;
+			if (issue_char(wsi, '.') < 0)
+				return -1;
+			wsi->u.hdr.ups = URIPS_IDLE;
 			break;
 		}

--- a/lib/private-libwebsockets.h
+++ b/lib/private-libwebsockets.h
@ -954,6 +954,7 @@ struct _lws_header_related {
 	enum uri_esc_states ues;
 	short lextable_pos;
 	unsigned short current_token_limit;
+	unsigned short slashdotdot_pos_stash;
 	char esc_stash;
 	char post_literal_equal;
 	unsigned char parser_state; /* enum lws_token_indexes */