1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-09 00:00:04 +01:00

uri processing reject paths not starting with slash

https://github.com/warmcat/libwebsockets/issues/481

Return 403 Forbidden if we don't end up with a uri path starting with /

Signed-off-by: Andy Green <andy@warmcat.com>
This commit is contained in:
Andy Green 2016-04-02 07:36:17 +08:00
parent 45dead99e0
commit a19ff9b24d
2 changed files with 16 additions and 1 deletions

View file

@ -291,6 +291,14 @@ lws_http_action(struct lws *wsi)
break;
}
/* we insist on absolute paths */
if (uri_ptr[0] != '/') {
lws_return_http_status(wsi, HTTP_STATUS_FORBIDDEN, NULL);
goto bail_nuke_ah;
}
/* HTTP header had a content length? */
wsi->u.http.content_length = 0;

View file

@ -218,10 +218,17 @@ check
echo
echo "---- nonexistant file"
rm -f /tmp/lwscap
echo -e "GET nope HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
echo -e "GET /nope HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
check media
check
echo
echo "---- relative uri path"
rm -f /tmp/lwscap
echo -e "GET nope HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
check forbidden
check
echo
echo "---- directory attack 1 (/../../../../etc/passwd should be /etc/passswd)"
rm -f /tmp/lwscap