Bug#349528: Security bugs in elog

Thu, 26 Jan 2006 04:48:11 -0800 

* Recai Oktaş:

> * Recai Oktaş [2006-01-25 09:34:15+0200]
> Florian: If you haven't any objections, I'll upload to stable-security

You need to coordinate this with the stable-security team.  If you
could upload a new upstream version to unstable, this would be fine,
though.

So far, the patch for CVE-2006-0347 was missing. A tentative backport
of the upstream fix is included below.  I dropped the hunk which dealt
with "scripts" support because this functionality is not present in
the sarge version.

The changelog entry should look like this:

  Backport revision 1620 from upstream Subversion repository:
  "Prohibit '..' in URLs" [CVE-2006-0347]

diff --git a/src/elogd.c b/src/elogd.c
index a24f27e..dbf2101 100755
--- a/src/elogd.c
+++ b/src/elogd.c
@@ -20872,6 +20872,25 @@ void server_loop(void)
             setcfg_topgroup("");
 
             p = strchr(net_buffer, '/') + 1;
+
+            /* check for ../.. to avoid serving of files on top of the elog 
directory */
+            for (i = 0; p[i] && p[i] != ' ' && p[i] != '?'; i++)
+               url[i] = p[i];
+            url[i] = 0;
+
+            if (strstr(url, "../..")) {
+               sprintf(str, "Invalid URL: %s", url);
+               show_error(str);
+               send(_sock, return_buffer, strlen_retbuf + 1, 0);
+               keep_alive = 0;
+               if (verbose) {
+                  eprintf("==== Return ================================\n");
+                  eputs(return_buffer);
+                  eprintf("\n\n");
+               }
+               goto finished;
+            }
+
             logbook[0] = 0;
             for (i = 0; *p && *p != '/' && *p != '?' && *p != ' '; i++)
                logbook[i] = *p++;
@@ -20935,6 +20954,21 @@ void server_loop(void)
                 strstr(logbook, ".jpg") || strstr(logbook, ".png") ||
                 strstr(logbook, ".ico") || strstr(logbook, ".htm")
                 || strstr(logbook, ".css")) {
+
+               /* do not allow '..' in file name */
+               if (strstr(logbook, "..")) {
+                  sprintf(str, "Invalid URL: %s", logbook);
+                  show_error(str);
+                  send(_sock, return_buffer, strlen_retbuf + 1, 0);
+                  keep_alive = 0;
+                  if (verbose) {
+                     eprintf("==== Return ================================\n");
+                     eputs(return_buffer);
+                     eprintf("\n\n");
+                  }
+                  goto finished;
+               }
+
                /* check if file in resource directory */
                strlcpy(str, resource_dir, sizeof(str));
                strlcat(str, logbook, sizeof(str));

Reply via email to