fix IRI-parsing bug

Some particularly crafted IRIs can cause a denial of service (DOS). IRIs which have a trailing `..' segment and resolve to a valid IRI (i.e. a .. that's not escaping the root directory) will make the server process loop forever. This is """just""" an DOS vulnerability, it doesn't expose anything sensitive or give an attacker anything else.
author: Omar Polo <op@omarpolo.com> 2021-04-12 20:11:47 +0000
committer: Omar Polo <op@omarpolo.com> 2021-04-12 20:11:47 +0000
commit: 9d092b607a25f4598557792be5ec35f02c3ae966 (patch)
tree: 9e85a85f2889e912923dada21e29b7dcf95a3192 /iri.c
parent: f2522b43139cc1a41a4a75d9eff84ee40be408da (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/iri.c b/iri.c
index 442af15..e1552d6 100644
--- a/iri.c
+++ b/iri.c
@@ -272,9 +272,13 @@ path_clean(char *path)
 	}
 
 	/* 3. eliminate each inner .. along with the preceding non-.. */
-	for (i = strstr(path, "../"); i != NULL; i = strstr(path, ".."))
+	for (i = strstr(path, "../"); i != NULL; i = strstr(path, "..")) {
+		/* break if we've found a trailing .. */
+		if (i[2] == '\0')
+			break;
 		if (!path_elide_dotdot(path, i, 3))
 			return 0;
+	}
 
 	/* 4. eliminate trailing ..*/
 	if ((i = strstr(path, "..")) != NULL)
author	Omar Polo <op@omarpolo.com>	2021-04-12 20:11:47 +0000
committer	Omar Polo <op@omarpolo.com>	2021-04-12 20:11:47 +0000
commit	9d092b607a25f4598557792be5ec35f02c3ae966 (patch)
tree	9e85a85f2889e912923dada21e29b7dcf95a3192 /iri.c
parent	f2522b43139cc1a41a4a75d9eff84ee40be408da (diff)