From a19ff9b24d39b524b1f47a9e94b3b8d5b1e8970e Mon Sep 17 00:00:00 2001
From: Andy Green <andy@warmcat.com>
Date: Sat, 2 Apr 2016 07:36:17 +0800
Subject: [PATCH] uri processing reject paths not starting with slash

https://github.com/warmcat/libwebsockets/issues/481

Return 403 Forbidden if we don't end up with a uri path starting with /

Signed-off-by: Andy Green <andy@warmcat.com>
---
 lib/server.c          | 8 ++++++++
 test-server/attack.sh | 9 ++++++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/lib/server.c b/lib/server.c
index 4b7078a2..51dd427d 100644
--- a/lib/server.c
+++ b/lib/server.c
@@ -291,6 +291,14 @@ lws_http_action(struct lws *wsi)
 			break;
 		}
 
+	/* we insist on absolute paths */
+
+	if (uri_ptr[0] != '/') {
+		lws_return_http_status(wsi, HTTP_STATUS_FORBIDDEN, NULL);
+
+		goto bail_nuke_ah;
+	}
+
 	/* HTTP header had a content length? */
 
 	wsi->u.http.content_length = 0;
diff --git a/test-server/attack.sh b/test-server/attack.sh
index bd160006..f1a4e1bf 100755
--- a/test-server/attack.sh
+++ b/test-server/attack.sh
@@ -218,10 +218,17 @@ check
 echo
 echo "---- nonexistant file"
 rm -f /tmp/lwscap
-echo -e "GET nope HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
+echo -e "GET /nope HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
 check media
 check
 
+echo
+echo "---- relative uri path"
+rm -f /tmp/lwscap
+echo -e "GET nope HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
+check forbidden
+check
+
 echo
 echo "---- directory attack 1 (/../../../../etc/passwd should be /etc/passswd)"
 rm -f /tmp/lwscap