Fix potential invalid path when fetching static

This commit is contained in:
Stephen Seo 2024-11-03 17:54:55 +09:00
parent c77f8cdb96
commit a14355ac81
3 changed files with 23 additions and 1 deletions

View file

@ -452,6 +452,8 @@ int main(int argc, char **argv) {
response_code = C_SIMPLE_HTTP_Response_400_Bad_Request; response_code = C_SIMPLE_HTTP_Response_400_Bad_Request;
} else if (file_info.result == STATIC_FILE_RESULT_404NotFound) { } else if (file_info.result == STATIC_FILE_RESULT_404NotFound) {
response_code = C_SIMPLE_HTTP_Response_404_Not_Found; response_code = C_SIMPLE_HTTP_Response_404_Not_Found;
} else if (file_info.result == STATIC_FILE_RESULT_InvalidPath) {
response_code = C_SIMPLE_HTTP_Response_400_Bad_Request;
} else { } else {
response_code = C_SIMPLE_HTTP_Response_500_Internal_Server_Error; response_code = C_SIMPLE_HTTP_Response_500_Internal_Server_Error;
} }

View file

@ -120,6 +120,9 @@ C_SIMPLE_HTTP_StaticFileInfo c_simple_http_get_file(
} else if (!ignore_mime_type && !c_simple_http_is_xdg_mime_available()) { } else if (!ignore_mime_type && !c_simple_http_is_xdg_mime_available()) {
file_info.result = STATIC_FILE_RESULT_NoXDGMimeAvailable; file_info.result = STATIC_FILE_RESULT_NoXDGMimeAvailable;
return file_info; return file_info;
} else if (c_simple_http_static_validate_path(path) != 0) {
file_info.result = STATIC_FILE_RESULT_InvalidPath;
return file_info;
} }
uint64_t buf_size = 128; uint64_t buf_size = 128;
@ -298,4 +301,17 @@ C_SIMPLE_HTTP_StaticFileInfo c_simple_http_get_file(
return file_info; return file_info;
} }
int c_simple_http_static_validate_path(const char *path) {
uint64_t length = strlen(path);
for (uint64_t idx = 0; idx <= length && path[idx] != 0; ++idx) {
if (length - idx >= 2) {
if (path[idx] == '.' && path[idx + 1] == '.') {
// Contains "..", invalid.
return 1;
}
}
}
return 0;
}
// vim: et ts=2 sts=2 sw=2 // vim: et ts=2 sts=2 sw=2

View file

@ -26,7 +26,8 @@ typedef enum C_SIMPLE_HTTP_StaticFileResult {
STATIC_FILE_RESULT_InvalidParameter, STATIC_FILE_RESULT_InvalidParameter,
STATIC_FILE_RESULT_NoXDGMimeAvailable, STATIC_FILE_RESULT_NoXDGMimeAvailable,
STATIC_FILE_RESULT_InternalError, STATIC_FILE_RESULT_InternalError,
STATIC_FILE_RESULT_404NotFound STATIC_FILE_RESULT_404NotFound,
STATIC_FILE_RESULT_InvalidPath
} C_SIMPLE_HTTP_StaticFileResult; } C_SIMPLE_HTTP_StaticFileResult;
typedef struct C_SIMPLE_HTTP_StaticFileInfo { typedef struct C_SIMPLE_HTTP_StaticFileInfo {
@ -47,6 +48,9 @@ void c_simple_http_cleanup_static_file_info(
C_SIMPLE_HTTP_StaticFileInfo c_simple_http_get_file( C_SIMPLE_HTTP_StaticFileInfo c_simple_http_get_file(
const char *static_dir, const char *path, int_fast8_t ignore_mime_type); const char *static_dir, const char *path, int_fast8_t ignore_mime_type);
/// Returns zero if OK.
int c_simple_http_static_validate_path(const char *path);
#endif #endif
// vim: et ts=2 sts=2 sw=2 // vim: et ts=2 sts=2 sw=2