Fix a low impact directory traversal bug

A common pattern for checking directories in ZNC is the following: sAbsolutePath = CDir::ChangeDir(sAllowedPath, sFile); if (sAbsolutePath.Left(sAllowedPath.length()) != sAllowedPath) Error; But there is a problem: If sAllowedPath doesn't end with a slash, we are vulnerable to an attack. If e.g. sAllowedPath = "/foo/bar", then sFile = "../bartender" would result in sAbsolutePath = "/foo/bartender". Since this path does begin with sAllowedPath, the code allowed it. There shouldn't be any places where this can be exploited currently, but it is still a security bug (path traversal). git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1569 726aef4b-f618-498e-8847-2d620e286838
2026-03-28 17:42:41 +01:00 · 2009-07-21 18:36:33 +00:00
parent 4495a6c2e0
commit c7583c4946
6 changed files with 23 additions and 10 deletions
--- a/FileUtils.cpp
+++ b/FileUtils.cpp
@@ -467,6 +467,15 @@ CString CDir::ChangeDir(const CString& sPath, const CString& sAdd, const CString
 	return (sRet.empty()) ? "/" : sRet;
 }

+CString CDir::CheckPathPrefix(const CString& sPath, const CString& sAdd, const CString& sHomeDir) {
+	CString sPrefix = sPath.Replace_n("//", "/").TrimRight_n("/") + "/";
+	CString sAbsolutePath = ChangeDir(sPrefix, sAdd, sHomeDir);
+
+	if (sAbsolutePath.Left(sPrefix.length()) != sPrefix)
+		return "";
+	return sAbsolutePath;
+}
+
 bool CDir::MakeDir(const CString& sPath, mode_t iMode) {
 	CString sDir;
 	VCString dirs;