diff --git a/lib/server.c b/lib/server.c index 4b7078a2..51dd427d 100644 --- a/lib/server.c +++ b/lib/server.c @@ -291,6 +291,14 @@ lws_http_action(struct lws *wsi) break; } + /* we insist on absolute paths */ + + if (uri_ptr[0] != '/') { + lws_return_http_status(wsi, HTTP_STATUS_FORBIDDEN, NULL); + + goto bail_nuke_ah; + } + /* HTTP header had a content length? */ wsi->u.http.content_length = 0; diff --git a/test-server/attack.sh b/test-server/attack.sh index bd160006..f1a4e1bf 100755 --- a/test-server/attack.sh +++ b/test-server/attack.sh @@ -218,10 +218,17 @@ check echo echo "---- nonexistant file" rm -f /tmp/lwscap -echo -e "GET nope HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap +echo -e "GET /nope HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap check media check +echo +echo "---- relative uri path" +rm -f /tmp/lwscap +echo -e "GET nope HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap +check forbidden +check + echo echo "---- directory attack 1 (/../../../../etc/passwd should be /etc/passswd)" rm -f /tmp/lwscap