iarv/znc
1
0
Fork 0
mirror of https://github.com/znc/znc.git synced 2026-03-28 17:42:41 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix a low impact directory traversal bug

Browse Source 
A common pattern for checking directories in ZNC is the following:

	sAbsolutePath = CDir::ChangeDir(sAllowedPath, sFile);
	if (sAbsolutePath.Left(sAllowedPath.length()) != sAllowedPath)
		Error;

But there is a problem: If sAllowedPath doesn't end with a slash, we are
vulnerable to an attack. If e.g. sAllowedPath = "/foo/bar", then
sFile = "../bartender" would result in sAbsolutePath = "/foo/bartender". Since
this path does begin with sAllowedPath, the code allowed it.

There shouldn't be any places where this can be exploited currently, but it is
still a security bug (path traversal).


git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1569 726aef4b-f618-498e-8847-2d620e286838
This commit is contained in:
psychon
2009-07-21 18:36:33 +00:00
parent 4495a6c2e0
commit c7583c4946
6 changed files with 23 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
ClientCommand.cpp
View File

@@ -397,9 +397,9 @@ void CClient::UserCommand(CString& sLine) {
return;
}
sAbsolutePath = CDir::ChangeDir(m_pUser->GetDLPath(), sFile, CZNC::Get().GetHomePath());
sAbsolutePath = CDir::CheckPathPrefix(sAllowedPath, sFile);
if (sAbsolutePath.Left(sAllowedPath.length()) != sAllowedPath) {
if (sAbsolutePath.empty()) {
PutStatus("Illegal path.");
return;
}
@@ -415,9 +415,9 @@ void CClient::UserCommand(CString& sLine) {
return;
}
sAbsolutePath = CDir::ChangeDir(m_pUser->GetDLPath(), sFile, CZNC::Get().GetHomePath());
sAbsolutePath = CDir::CheckPathPrefix(sAllowedPath, sFile);
if (sAbsolutePath.Left(sAllowedPath.length()) != sAllowedPath) {
if (sAbsolutePath.empty()) {
PutStatus("Illegal path.");
return;
}