Fix a low impact directory traversal bug

A common pattern for checking directories in ZNC is the following: sAbsolutePath = CDir::ChangeDir(sAllowedPath, sFile); if (sAbsolutePath.Left(sAllowedPath.length()) != sAllowedPath) Error; But there is a problem: If sAllowedPath doesn't end with a slash, we are vulnerable to an attack. If e.g. sAllowedPath = "/foo/bar", then sFile = "../bartender" would result in sAbsolutePath = "/foo/bartender". Since this path does begin with sAllowedPath, the code allowed it. There shouldn't be any places where this can be exploited currently, but it is still a security bug (path traversal). git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1569 726aef4b-f618-498e-8847-2d620e286838
2026-03-28 17:42:41 +01:00 · 2009-07-21 18:36:33 +00:00
parent 4495a6c2e0
commit c7583c4946
6 changed files with 23 additions and 10 deletions
--- a/modules/webadmin.cpp
+++ b/modules/webadmin.cpp
@@ -254,12 +254,11 @@ CString CWebAdminSock::GetAvailSkinsDir() {
 CString CWebAdminSock::GetSkinDir() {
 	CString sAvailSkins = GetAvailSkinsDir();
 	CString sSkinDir = sAvailSkins + GetModule()->GetSkinName() + "/";
-	CString sDir = CDir::ChangeDir("./", sSkinDir, "/");
+	CString sDir = CDir::CheckPathPrefix("./", sSkinDir, "/");

-	// Via ChangeDir() we check if someone tries to use e.g. a skin name
+	// Via CheckPrefix() we check if someone tries to use e.g. a skin name
 	// with embed .. or such evilness.
-	if (sDir.Left(sAvailSkins.length()) == sAvailSkins
-			&& CFile::IsDir(sSkinDir)) {
+	if (!sDir.empty() && CFile::IsDir(sSkinDir)) {
 		return sSkinDir;
 	}