libsoup: add patch to fix CVE-2011-2054
Fixes a security hole that caused some SoupServer users to unintentionally allow accessing the entire local filesystem when they thought they were only providing access to a single directory. This is the change from libsoup-2.34.3 backported to 2.32.2. It doesn't include the changes to the test suite though. Signed-off-by: Sven Neumann <s.neumann@raumfeld.com> Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
This commit is contained in:
parent
d49286740a
commit
e9394d8ca2
32
package/libsoup/libsoup-CVE-2011-2054.patch
Normal file
32
package/libsoup/libsoup-CVE-2011-2054.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From 4617b6ef6dd21931a0153070c5b5ff7ef21b46f8 Mon Sep 17 00:00:00 2001
|
||||
From: Dan Winship <danw@gnome.org>
|
||||
Date: Wed, 29 Jun 2011 10:04:06 -0400
|
||||
Subject: [PATCH] SoupServer: fix to not allow smuggling ".." into path
|
||||
|
||||
When SoupServer:raw-paths was set (the default), it was possible to
|
||||
sneak ".." segments into the path passed to the SoupServerHandler,
|
||||
which could then end up tricking some handlers into retrieving
|
||||
arbitrary files from the filesystem. Fix that.
|
||||
|
||||
https://bugzilla.gnome.org/show_bug.cgi?id=653258
|
||||
|
||||
diff --git a/libsoup/soup-server.c b/libsoup/soup-server.c
|
||||
index d56efd1..7225337 100644
|
||||
--- a/libsoup/soup-server.c
|
||||
+++ b/libsoup/soup-server.c
|
||||
@@ -779,6 +779,15 @@ got_headers (SoupMessage *req, SoupClientContext *client)
|
||||
|
||||
uri = soup_message_get_uri (req);
|
||||
decoded_path = soup_uri_decode (uri->path);
|
||||
+
|
||||
+ if (strstr (decoded_path, "/../") ||
|
||||
+ g_str_has_suffix (decoded_path, "/..")) {
|
||||
+ /* Introducing new ".." segments is not allowed */
|
||||
+ g_free (decoded_path);
|
||||
+ soup_message_set_status (req, SOUP_STATUS_BAD_REQUEST);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
soup_uri_set_path (uri, decoded_path);
|
||||
g_free (decoded_path);
|
||||
}
|
Loading…
Reference in New Issue
Block a user