A common pattern for checking directories in ZNC is the following:
sAbsolutePath = CDir::ChangeDir(sAllowedPath, sFile);
if (sAbsolutePath.Left(sAllowedPath.length()) != sAllowedPath)
Error;
But there is a problem: If sAllowedPath doesn't end with a slash, we are
vulnerable to an attack. If e.g. sAllowedPath = "/foo/bar", then
sFile = "../bartender" would result in sAbsolutePath = "/foo/bartender". Since
this path does begin with sAllowedPath, the code allowed it.
There shouldn't be any places where this can be exploited currently, but it is
still a security bug (path traversal).
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1569 726aef4b-f618-498e-8847-2d620e286838
We need to have an upper limit of the size of HTTP POST data. With the current
code you could just send 4 GiB of data to webadmin and ZNC would try to keep all
of this in memory.
This patch implements an upper limit for HTTP POST data of 1 MiB.
Thanks to cnu for finding this.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1559 726aef4b-f618-498e-8847-2d620e286838
There was a bug in webadmin which allowed any users to write arbitrary strings
to znc.conf by setting e.g. their quit message to:
Some quit message
Admin = true
LoadModule = shell
</User>
ISpoofFile = /home/<user>/.ssh/authorited_keys
ISpoofFormat = <some ssh key>
<User a>
(The newlines must be sent as newlines to webadmin)
This commit fixes this by stripping all newlines from all the data fields
by default. Since some fields (e.g. CTCPReplies and Servers) do need newlines,
there is a new function CHTTPSock::GetRawParam() which doesn't do the stripping.
Thanks to cnu for finding and reporting this bug.
Thanks to kroimon for patch review.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1395 726aef4b-f618-498e-8847-2d620e286838
This limits the max file size to 16 MiB and makes the read loop stop after
it has read as many bytes as GetSize() said the file is long. This fixes
an endless loop when trying to transfer endless files like /dev/zero.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1374 726aef4b-f618-498e-8847-2d620e286838
If such a file is served (e.g. webadmin images) an ETag header is now generated.
When the browser needs the file again it sends the ETag back to us in an
If-None-Match header and the file isn't transfered again if the ETag still
matches. This should greatly reduce webadmin's traffic usage.
This also updates HTTPSock to sometimes generate a HTTP/1.1 reply
(ETag was added in HTTP/1.1).
This was successfully tested with Firefox 2 & 3 and IE7.
Konqueror failed badly (No If-None-Match header generated).
Thanks to flakes for having the idea, writing the patch and testing it.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1248 726aef4b-f618-498e-8847-2d620e286838
CSocket caches the data read from a socket and then looks for lines in there.
If there is no line end, this buffer can grow quite large. This patch now
closes sockets if they get a huge read buffer.
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1233 726aef4b-f618-498e-8847-2d620e286838
Those function were not modified. Only change is the name.
Those *Dir() functions really made no sense in CUtils when there is FileUtils
stuff. They really fit much better into here. I'll bet they'll make new friends
fast. I mean, why shouldn't they?
Uhm... sorry ;)
git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1044 726aef4b-f618-498e-8847-2d620e286838
