Guys,
Attached is a rough patch which seems to fix the problem for OS's which don't use '/' as a file name separator. I managed to get a semi-functional version of Xindice running on my Win98 games machine, and I can't reproduce the exploit with the patch applied, but because Xindice doesn't seem to run correctly under Win98[0], I don't know if it is breaking anything.
Please try http://localhost:4080/..\../ or http://yourservername:4080/..\..
Wei-Chin, can you (or someone else running Xindice on Windows) please apply the patch, see if it fixes the above vunerability for you, make sure everything else still works and let the list know if it does or does not? You really want to try it on a test instance of Xindice or make sure you backup your respository before you run it on a instance which contains useful data.
Mike.
[0] - Is this a known problem? The for loop which builds the LOCALCLASSPATH in startup.bat doesn't seem to work for me, and I can't manually set a CLASSPATH to fix it because it seems a command line command has a limited length. Stupid broken "operating system."
--
Mike Gratton <[EMAIL PROTECTED]>, <http://web.vee.net/>
"Every motive escalate."
Index: java/src/org/apache/xindice/server/services/HTTPServer.java
===================================================================
RCS file:
/home/cvspublic/xml-xindice/java/src/org/apache/xindice/server/services/HTTPServer.java,v
retrieving revision 1.2
diff -u -r1.2 HTTPServer.java
--- java/src/org/apache/xindice/server/services/HTTPServer.java 26 Feb 2002
07:10:09 -0000 1.2
+++ java/src/org/apache/xindice/server/services/HTTPServer.java 8 Mar 2002
14:03:44 -0000
@@ -737,7 +737,13 @@
// and ScriptName (if one hasn't already been enforced).
boolean foundscript = false;
- st = new StringTokenizer(pathinfo, "/", true);
+
+ // protect against platform-specific file separator attacks
+ String tokens = "/";
+ if (!File.separator.equals(tokens))
+ tokens += File.separator;
+
+ st = new StringTokenizer(pathinfo, tokens, true);
while ( st.hasMoreTokens() ) {
token = st.nextToken();
if ( !foundscript && token.endsWith(".jug") ) {
