STR866 fix introduces DoS #1042

Closed
michaelrsweet opened this Issue Dec 31, 2004 · 2 comments

Comments

Projects
None yet
1 participant
Collaborator

michaelrsweet commented Dec 31, 2004

Version: 1.1-current
CUPS.org User: kmuto.debian

I noticed your fix on STR#866 caused critical hang-up when invalid URL came.
For example, 'GET /..a HTTP/1.1'.
(This bug was found by nessus security audit software)

I found the point, is_path_absolute in scheduler/client.c.

while ((path = strstr(path, "/..")) != NULL)
if (!path[3] || path[3] == '/')
return (0);

It should increment path pointer, isn't it?

while ((path = strstr(path, "/..")) != NULL) {
if (!path[3] || path[3] == '/')
return (0);
path++;
}

Thanks,

Collaborator

michaelrsweet commented Dec 31, 2004

CUPS.org User: mike

Thanks, will include the fix in 1.1.23.

Collaborator

michaelrsweet commented Jan 3, 2005

CUPS.org User: mike

Fixed in CVS - the anonymous CVS repository will be updated at midnight EST.

michaelrsweet added this to the Stable milestone Mar 17, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment