Server path cleanup incorrectly processes query string

[jtjbrady]

Given a path of /soap?query=../test the code for handling paths will treat this as /test

This is because the code in KDSoapServerSocket.cpp parseHeaders calls QDir::cleanPath on the entirety of the passed path including the query.

This could lead to interesting results when using processFileRequest as /soap?query=../../../../../etc/passwd results in a path of ../../../../etc/passwd being passed.

Suggested fix is to split on the query.

-    const QByteArray path = QDir::cleanPath(QString::fromLatin1(firstLine.at(1).constData())).toLatin1();
+    const int queryLocation = firstLine.at(1).indexOf('?');
+    QByteArray path = QDir::cleanPath(QString::fromLatin1(firstLine.at(1).constData(), queryLocation)).toLatin1();
+    if (queryLocation > 0)
+            path += firstLine.at(1).mid(queryLocation);

[dfaure-kdab]

Hi, thanks for the report. I have now investigated and fixed this issue, see the referenced commit.

In addition to stripping out the query like you suggested, I also added a security check that the final path being requested must start with a '/', which excludes paths such as "../../etc/passwd".

Please let me know if any of my changes creates problems for you.

[jtjbrady]

It looks like the new code fixes the security issue, but it looks like it strips out the query string completely.
I use /soapservice?wsdl as the path for the wsdl document and before this change it was possible to implement handling of queries via processFileRequest.

[dfaure-kdab]

Thanks for the quick test. I have amended by commit in commit e474a58 so that queries are preserved.