Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

A denial of service bug has been corrected. Multippart POST processin…

…g on the yaws server side contained a list_to_atom/1 call which potentially makes it possible for an attacker to craft a continous list of POSTs, each potentially generating a new atom. This is a backwards incompatible fix since the upload code on the server side is user code. That code now needs to look for strings instead of atoms. For example the upload.taws code in the www examples is changed. It searches now for the field "filename" instead of 'filename'
  • Loading branch information...
commit 470004c5da27ab5644e116bd4e10d928c87fbc98 1 parent de1f46a
@klacke authored
Showing with 4 additions and 4 deletions.
  1. +3 −3 src/yaws_api.erl
  2. +1 −1  www/upload.yaws
View
6 src/yaws_api.erl
@@ -282,7 +282,7 @@ parse_multipart_post(Arg, Options) ->
undefined ->
LineArgs = parse_arg_line(Line),
{value, {_, Boundary}} =
- lists:keysearch(boundary, 1, LineArgs),
+ lists:keysearch("boundary", 1, LineArgs),
parse_multipart(
un_partial(Arg#arg.clidata),
Boundary, Options)
@@ -354,7 +354,7 @@ parse_arg_value([C|Line], Key, Value, Quote, _) ->
%%
make_parse_line_reply(Key, Value, Rest) ->
- {{list_to_atom(yaws:funreverse(Key, fun yaws:to_lowerchar/1)),
+ {{yaws:funreverse(Key, fun yaws:to_lowerchar/1),
lists:reverse(Value)}, Rest}.
@@ -502,7 +502,7 @@ parse_multi(Data, #mp_parse_state{state=header}=ParseState, Acc, Name, Hdrs) ->
"content-disposition" ->
"form-data"++Params = HdrValStr,
Parameters = parse_arg_line(Params),
- {value, {_, NewName}} = lists:keysearch(name, 1, Parameters),
+ {value, {_, NewName}} = lists:keysearch("name", 1, Parameters),
parse_multi(Rest, ParseState, Acc,
NewName, Parameters++Hdrs);
LowerHdr ->
View
2  www/upload.yaws
@@ -74,7 +74,7 @@ addFileChunk(_A, [], State) ->
{cont, State};
addFileChunk(A, [{head, {_Name, Opts}}|Res], State ) ->
- case lists:keysearch(filename, 1, Opts) of
+ case lists:keysearch("filename", 1, Opts) of
{value, {_, Fname0}} ->
Fname = yaws_api:sanitize_file_name(basename(Fname0)),
Please sign in to comment.
Something went wrong with that request. Please try again.