Re: [openobex-users] obexftpd - parent directory of base directory accessible

Tue, 03 Jul 2007 06:55:30 -0700 

Hello,

Are you OK with this patch ?

Thanks

Fred

Frederic Danis wrote:
> Hendrik Sattler wrote:
>> Am Dienstag 12 Juni 2007 15:41 schrieb Frederic Danis:
>>> -               if (strstr(name, "/../"))
>>> +               if ((strstr(name, "/")) || (strncmp(name, "..", 2) == 
>>> 0))
>>>                 {
>>
>> Both versions are incorrect, try the following:
>>   if (strncmp(name,"../", 3) == 0 ||
>>       strcmp(name, "..") == 0 ||
>>       (strlen(name) > 3 &&
>>        (strstr(name,"/../") != NULL ||
>>         strncmp(name+strlen(name)-3,"/..",3) == 0)))
>>   {
>>
>> A server should possible deny any such path.
>> Other stuff should prepend this: '\\'->'/' and removing any leading '/'.
>>
> 
> I try your comments, and this works fine for me.
> Find attached an updated version of the patch.
> 
> Regards
> 
> Fred
> 
> 
> ------------------------------------------------------------------------
> 
> diff -Naur obexftp-0.22-rc3/apps/obexftpd.c obexftp-0.22/apps/obexftpd.c
> --- obexftp-0.22-rc3/apps/obexftpd.c  2007-06-05 03:36:35.000000000 +0200
> +++ obexftp-0.22/apps/obexftpd.c      2007-06-15 16:15:55.000000000 +0200
> @@ -364,27 +364,46 @@
>       
>       if (name)
>       {
> -             if (strstr(name, "/../"))
> +             if (strncmp(name, "../", 3) == 0 ||
> +                 strcmp(name, "..") == 0 ||
> +                 (strlen(name) > 3 &&
> +                  (strstr(name, "/../") != NULL ||
> +                   strncmp(name + strlen(name) - 3, "/..", 3) == 0)))
>               {
>                       OBEX_ObjectSetRsp(object, OBEX_RSP_CONTINUE, 
> OBEX_RSP_FORBIDDEN);
>               } else {
> -             strcpy(fullname, CUR_DIR);
> -             strncat(fullname, name, sizeof(fullname)-1);
> -             if ((*setpath_nohdr_data & 2) == 0) {
> -                     if (verbose) printf("mkdir %s\n", name);
> -                     if (mkdir(fullname, 0755) < 0) {
> -                             perror("requested mkdir failed");
> +                     strcpy(fullname, CUR_DIR);
> +                     strncat(fullname, name, sizeof(fullname)-1);
> +                     if ((*setpath_nohdr_data & 2) == 0) {
> +                             if (verbose) printf("mkdir %s\n", name);
> +                             if (mkdir(fullname, 0755) < 0) {
> +                                     perror("requested mkdir failed");
> +                             }
> +                     }
> +
> +                     if (verbose) printf("Set path to %s\n",fullname);
> +                     if (chdir(fullname) < 0) {
> +                             perror("requested chdir failed\n");
> +                             OBEX_ObjectSetRsp(object, OBEX_RSP_CONTINUE, 
> OBEX_RSP_FORBIDDEN);
>                       }
> -             }
> -             if (verbose) printf("Set path to %s\n",fullname);
> -             if (chdir(fullname) < 0)
> -             {
> -                     perror("requested chdir failed\n");
> -                     OBEX_ObjectSetRsp(object, OBEX_RSP_CONTINUE, 
> OBEX_RSP_FORBIDDEN);
> -             }
>               }
>               free(name);
>               name = NULL;
> +     } else if ((*setpath_nohdr_data & 3) == 3) {
> +             if (getcwd(fullname, WORK_PATH_MAX - 1) == NULL) {
> +                     perror("unable to get current dir");
> +                     OBEX_ObjectSetRsp(object, OBEX_RSP_CONTINUE, 
> OBEX_RSP_FORBIDDEN);
> +             } else if (strstr(fullname, init_work_path) == NULL) {
> +                     perror("not allowed");
> +                     OBEX_ObjectSetRsp(object, OBEX_RSP_CONTINUE, 
> OBEX_RSP_FORBIDDEN);
> +             } else {
> +                     if (verbose) printf("Set path backward\n");
> +                     if (chdir("./..") < 0)
> +                     {
> +                             perror("requested chdir failed\n");
> +                             OBEX_ObjectSetRsp(object, OBEX_RSP_CONTINUE, 
> OBEX_RSP_FORBIDDEN);
> +                     }
> +             }
>       }
>  }
>  
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Openobex-users mailing list
> [email protected]
> http://lists.sourceforge.net/lists/listinfo/openobex-users


-- 
-----------------------------------------------
It is not by improving the oil lamp that one invents the electric bulb!
-----------------------------------------------
Danis Frederic                   Access Company
Software engineer
Mail : mailto:[EMAIL PROTECTED]
-----------------------------------------------

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Openobex-users mailing list
[email protected]
http://lists.sourceforge.net/lists/listinfo/openobex-users

Reply via email to