uri processing reject paths not starting with slash

https://github.com/warmcat/libwebsockets/issues/481 Return 403 Forbidden if we don't end up with a uri path starting with / Signed-off-by: Andy Green <andy@warmcat.com>
2025-03-09 00:00:04 +01:00 · 2016-04-02 07:36:17 +08:00 · 2016-04-02 07:36:17 +08:00 · a19ff9b24d
commit a19ff9b24d
parent 45dead99e0
2 changed files with 16 additions and 1 deletions
--- a/lib/server.c
+++ b/lib/server.c
@ -291,6 +291,14 @@ lws_http_action(struct lws *wsi)
 			break;
 		}

+	/* we insist on absolute paths */
+
+	if (uri_ptr[0] != '/') {
+		lws_return_http_status(wsi, HTTP_STATUS_FORBIDDEN, NULL);
+
+		goto bail_nuke_ah;
+	}
+
 	/* HTTP header had a content length? */

 	wsi->u.http.content_length = 0;
--- a/test-server/attack.sh
+++ b/test-server/attack.sh
@ -218,10 +218,17 @@ check
 echo
 echo "---- nonexistant file"
 rm -f /tmp/lwscap
-echo -e "GET nope HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
+echo -e "GET /nope HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
 check media
 check

+echo
+echo "---- relative uri path"
+rm -f /tmp/lwscap
+echo -e "GET nope HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
+check forbidden
+check
+
 echo
 echo "---- directory attack 1 (/../../../../etc/passwd should be /etc/passswd)"
 rm -f /tmp/lwscap