* mdocml: Security fix: Validate the manpath up front and report a Bad
@ 2014-07-19 13:15 schwarze
0 siblings, 0 replies; only message in thread
From: schwarze @ 2014-07-19 13:15 UTC (permalink / raw)
To: source
Log Message:
-----------
Security fix:
Validate the manpath up front and report a Bad Request if it is not
listed in manpath.conf, such that clients can't probe which directories
exist on the server. In case of configuration errors, consistently
report Internal Server Error without disclosing any further information.
Partially based on a patch from Sebastien Marie <semarie-openbsd at
latrappe dot fr>, but avoiding a couple of issues with that patch
and approaching the issue in a somewhat more rigorous way.
Modified Files:
--------------
mdocml:
cgi.c
Revision Data
-------------
Index: cgi.c
===================================================================
RCS file: /usr/vhosts/mdocml.bsd.lv/cvs/mdocml/cgi.c,v
retrieving revision 1.76
retrieving revision 1.77
diff -Lcgi.c -Lcgi.c -u -p -r1.76 -r1.77
--- cgi.c
+++ cgi.c
@@ -467,6 +467,21 @@ resp_searchform(const struct req *req)
}
static int
+validate_manpath(const struct req *req, const char* manpath)
+{
+ size_t i;
+
+ if ( ! strcmp(manpath, "mandoc"))
+ return(1);
+
+ for (i = 0; i < req->psz; i++)
+ if ( ! strcmp(manpath, req->p[i]))
+ return(1);
+
+ return(0);
+}
+
+static int
validate_filename(const char *file)
{
@@ -819,6 +834,12 @@ pg_show(const struct req *req, const cha
}
*sub++ = '\0';
+ if ( ! validate_manpath(req, path)) {
+ pg_error_badrequest(
+ "You specified an invalid manpath.");
+ return;
+ }
+
/*
* Begin by chdir()ing into the manpath.
* This way we can pick up the database files, which are
@@ -826,8 +847,9 @@ pg_show(const struct req *req, const cha
*/
if (-1 == chdir(path)) {
- pg_error_badrequest(
- "You specified an invalid manpath.");
+ fprintf(stderr, "chdir %s: %s\n",
+ path, strerror(errno));
+ pg_error_internal();
return;
}
@@ -861,8 +883,9 @@ pg_search(const struct req *req)
*/
if (-1 == (chdir(req->q.manpath))) {
- pg_error_badrequest(
- "You specified an invalid manpath.");
+ fprintf(stderr, "chdir %s: %s\n",
+ req->q.manpath, strerror(errno));
+ pg_error_internal();
return;
}
@@ -953,6 +976,12 @@ main(void)
if (NULL != (querystring = getenv("QUERY_STRING")))
http_parse(&req, querystring);
+
+ if ( ! validate_manpath(&req, req.q.manpath)) {
+ pg_error_badrequest(
+ "You specified an invalid manpath.");
+ return(EXIT_FAILURE);
+ }
/* Dispatch to the three different pages. */
--
To unsubscribe send an email to source+unsubscribe@mdocml.bsd.lv
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2014-07-19 13:15 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-07-19 13:15 mdocml: Security fix: Validate the manpath up front and report a Bad schwarze
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).