From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.2 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.4
Received: (qmail 3389 invoked from network); 1 Apr 2022 01:17:52 -0000
Received: from 4ess.inri.net (216.126.196.42)
  by inbox.vuxu.org with ESMTPUTF8; 1 Apr 2022 01:17:52 -0000
Received: from mail.9lab.org ([168.119.8.41]) by 4ess; Thu Mar 31 21:08:55 -0400 2022
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=9lab.org; s=20210803;
	t=1648775288;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=CEUUXQAp+u1AP03aA+uL7kTI//D96c/8NU7OMZJitSY=;
	b=j6c817rOD4K1u9tKBaHpyU5Kc9LJO5bYw/8cr790mq+bLXWDUFbXg42KcbB09hRqY7p+KO
	a7B1pC+E31qlyqQhl6fGNtsZ+GCPMCqeBMaAdP5FC+nLLSOJhnJCrsThTU5MxGpIEQQyJS
	fCsAqAQslTUR8NfR1M5uXd3fuln2Zfg=
Received: from rob.9lab.home (host-185-64-155-70.ecsnet.at [185.64.155.70])
	by mail.9lab.org (OpenSMTPD) with ESMTPSA id b5fda196 (TLSv1.2:ECDHE-RSA-CHACHA20-POLY1305:256:NO);
	Fri, 1 Apr 2022 03:08:08 +0200 (CEST)
Message-ID: <E08554376DF3AA7E72AF66C7A3829ACB@9lab.org>
To: 9front@9front.org
CC: igor@9lab.org
Date: Fri, 01 Apr 2022 03:08:06 +0200
From: igor@9lab.org
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
List-ID: <9front.9front.org>
List-Help: <http://lists.9front.org>
X-Glyph: ➈
X-Bullshit: transactional template session-aware service pipelining-based database 
Subject: [9front] [PATCH] rc-httpd: do not escape FS_ROOT for dir-index and serve-static
Reply-To: 9front@9front.org
Precedence: bulk

The below diff fixes the rc-httpd issue exposed on 4chan[1] whereby one could
escape FS_ROOT via clever URL manipulations when used with dir-index/serve-static
http-handlers.

The solution makes use of cleanname(1) and checks if the computed
path is still prefixed with FS_ROOT.

I am sure there are other solutions, consider this as one possible suggestion...

[1] https://inbox.vuxu.org/9front/EC93BCF8DB4A22F2A1E6CF0D3FB0C16A@5ess.inri.net/


diff 2367a2aeaec8432e6b059135e49c2fa86e415ae5 uncommitted
--- a/rc/bin/rc-httpd/handlers/dir-index
+++ b/rc/bin/rc-httpd/handlers/dir-index
@@ -2,6 +2,10 @@
 PATH_INFO=`{echo $PATH_INFO | urlencode -d}
 full_path=$"FS_ROOT^$"PATH_INFO
 full_path=$"full_path
+if(! ~ `{cleanname -d$FS_ROOT $full_path} `{cleanname $FS_ROOT}^*){
+	error 503
+	exit
+}
 if(! test -d $full_path){
 	error 404
 	exit
@@ -14,8 +18,7 @@
 if(~ $"NOINDEXFILE ^ $"NOINDEX ''){
 	ifile=index.htm*
 	if(! ~ $ifile(1) *'*'){
-		PATH_INFO=$ifile(1)
-		FS_ROOT=''
+		PATH_INFO=$PATH_INFO^$ifile(1)
 		exec serve-static
 	}
 }
--- a/rc/bin/rc-httpd/handlers/serve-static
+++ b/rc/bin/rc-httpd/handlers/serve-static
@@ -1,6 +1,10 @@
 #!/bin/rc
 full_path=`{echo $"FS_ROOT^$"PATH_INFO | urlencode -d}
 full_path=$"full_path
+if(! ~ `{cleanname -d$FS_ROOT $full_path} `{cleanname $FS_ROOT}^*){
+	error 503
+	exit
+}
 if(~ $full_path */)
 	error 503
 if(test -d $full_path){