STR866 fix introduces DoS #1042

Closed
michaelrsweet opened this Issue Dec 31, 2004 · 2 comments

Comments

Projects
None yet
1 participant
@michaelrsweet
Collaborator

michaelrsweet commented Dec 31, 2004

Version: 1.1-current
CUPS.org User: kmuto.debian

I noticed your fix on STR#866 caused critical hang-up when invalid URL came.
For example, 'GET /..a HTTP/1.1'.
(This bug was found by nessus security audit software)

I found the point, is_path_absolute in scheduler/client.c.

while ((path = strstr(path, "/..")) != NULL)
if (!path[3] || path[3] == '/')
return (0);

It should increment path pointer, isn't it?

while ((path = strstr(path, "/..")) != NULL) {
if (!path[3] || path[3] == '/')
return (0);
path++;
}

Thanks,

@michaelrsweet

This comment has been minimized.

Show comment
Hide comment
@michaelrsweet

michaelrsweet Dec 31, 2004

Collaborator

CUPS.org User: mike

Thanks, will include the fix in 1.1.23.

Collaborator

michaelrsweet commented Dec 31, 2004

CUPS.org User: mike

Thanks, will include the fix in 1.1.23.

@michaelrsweet

This comment has been minimized.

Show comment
Hide comment
@michaelrsweet

michaelrsweet Jan 3, 2005

Collaborator

CUPS.org User: mike

Fixed in CVS - the anonymous CVS repository will be updated at midnight EST.

Collaborator

michaelrsweet commented Jan 3, 2005

CUPS.org User: mike

Fixed in CVS - the anonymous CVS repository will be updated at midnight EST.

@michaelrsweet michaelrsweet added this to the Stable milestone Mar 17, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment