Hendrik Sattler wrote:
Am Dienstag 12 Juni 2007 15:41 schrieb Frederic Danis:
- if (strstr(name, "/../"))
+ if ((strstr(name, "/")) || (strncmp(name, "..", 2) == 0))
{
Both versions are incorrect, try the following:
if (strncmp(name,"../", 3) == 0 ||
strcmp(name, "..") == 0 ||
(strlen(name) > 3 &&
(strstr(name,"/../") != NULL ||
strncmp(name+strlen(name)-3,"/..",3) == 0)))
{
A server should possible deny any such path.
Other stuff should prepend this: '\\'->'/' and removing any leading '/'.
I try your comments, and this works fine for me.
Find attached an updated version of the patch.
Regards
Fred
--
-----------------------------------------------
It is not by improving the oil lamp that one invents the electric bulb!
-----------------------------------------------
Danis Frederic Access Company
Software engineer
Mail : mailto:[EMAIL PROTECTED]
-----------------------------------------------
diff -Naur obexftp-0.22-rc3/apps/obexftpd.c obexftp-0.22/apps/obexftpd.c
--- obexftp-0.22-rc3/apps/obexftpd.c 2007-06-05 03:36:35.000000000 +0200
+++ obexftp-0.22/apps/obexftpd.c 2007-06-15 16:15:55.000000000 +0200
@@ -364,27 +364,46 @@
if (name)
{
- if (strstr(name, "/../"))
+ if (strncmp(name, "../", 3) == 0 ||
+ strcmp(name, "..") == 0 ||
+ (strlen(name) > 3 &&
+ (strstr(name, "/../") != NULL ||
+ strncmp(name + strlen(name) - 3, "/..", 3) == 0)))
{
OBEX_ObjectSetRsp(object, OBEX_RSP_CONTINUE, OBEX_RSP_FORBIDDEN);
} else {
- strcpy(fullname, CUR_DIR);
- strncat(fullname, name, sizeof(fullname)-1);
- if ((*setpath_nohdr_data & 2) == 0) {
- if (verbose) printf("mkdir %s\n", name);
- if (mkdir(fullname, 0755) < 0) {
- perror("requested mkdir failed");
+ strcpy(fullname, CUR_DIR);
+ strncat(fullname, name, sizeof(fullname)-1);
+ if ((*setpath_nohdr_data & 2) == 0) {
+ if (verbose) printf("mkdir %s\n", name);
+ if (mkdir(fullname, 0755) < 0) {
+ perror("requested mkdir failed");
+ }
+ }
+
+ if (verbose) printf("Set path to %s\n",fullname);
+ if (chdir(fullname) < 0) {
+ perror("requested chdir failed\n");
+ OBEX_ObjectSetRsp(object, OBEX_RSP_CONTINUE, OBEX_RSP_FORBIDDEN);
}
- }
- if (verbose) printf("Set path to %s\n",fullname);
- if (chdir(fullname) < 0)
- {
- perror("requested chdir failed\n");
- OBEX_ObjectSetRsp(object, OBEX_RSP_CONTINUE, OBEX_RSP_FORBIDDEN);
- }
}
free(name);
name = NULL;
+ } else if ((*setpath_nohdr_data & 3) == 3) {
+ if (getcwd(fullname, WORK_PATH_MAX - 1) == NULL) {
+ perror("unable to get current dir");
+ OBEX_ObjectSetRsp(object, OBEX_RSP_CONTINUE, OBEX_RSP_FORBIDDEN);
+ } else if (strstr(fullname, init_work_path) == NULL) {
+ perror("not allowed");
+ OBEX_ObjectSetRsp(object, OBEX_RSP_CONTINUE, OBEX_RSP_FORBIDDEN);
+ } else {
+ if (verbose) printf("Set path backward\n");
+ if (chdir("./..") < 0)
+ {
+ perror("requested chdir failed\n");
+ OBEX_ObjectSetRsp(object, OBEX_RSP_CONTINUE, OBEX_RSP_FORBIDDEN);
+ }
+ }
}
}
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Openobex-users mailing list
[email protected]
http://lists.sourceforge.net/lists/listinfo/openobex-users
