Skip to content
Permalink
Browse files Browse the repository at this point in the history
[core] fix abort in http-parseopts (fixes #2945)
fix abort in server.http-parseopts with url-path-2f-decode enabled

(thx stze)

x-ref:
  "Security - SIGABRT during GET request handling with url-path-2f-decode enabled"
  https://redmine.lighttpd.net/issues/2945
  • Loading branch information
gstrauss committed Apr 10, 2019
1 parent 107fa1f commit 32120d5
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 2 deletions.
6 changes: 4 additions & 2 deletions src/burl.c
Expand Up @@ -252,8 +252,10 @@ static int burl_normalize_2F_to_slash_fix (buffer *b, int qs, int i)
}
}
if (qs >= 0) {
memmove(s+j, s+qs, blen - qs);
j += blen - qs;
const int qslen = blen - qs;
memmove(s+j, s+qs, (size_t)qslen);
qs = j;
j += qslen;
}
buffer_string_set_length(b, j);
return qs;
Expand Down
2 changes: 2 additions & 0 deletions src/t/test_burl.c
Expand Up @@ -97,6 +97,8 @@ static void test_burl_normalize (void) {
flags |= HTTP_PARSEOPT_URL_NORMALIZE_PATH_2F_DECODE;
run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a/b?c=/"), CONST_STR_LEN("/a/b?c=/"));
run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a/b?c=%2f"), CONST_STR_LEN("/a/b?c=/"));
run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("%2f?"), CONST_STR_LEN("/?"));
run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/%2f?"), CONST_STR_LEN("//?"));
run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a%2fb"), CONST_STR_LEN("/a/b"));
run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a%2Fb"), CONST_STR_LEN("/a/b"));
run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a%2fb?c=/"), CONST_STR_LEN("/a/b?c=/"));
Expand Down

5 comments on commit 32120d5

@kingomg1973
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello, does this problem exist in version 1.4.48

@kingomg1973
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is no burl.c file in version 1.4.48. Can I think that the overflow problem does not exist in version 1.4.48 ?

@gstrauss
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you are unable to use a search engine and to read, then you are not going to be very good at security.
https://www.cvedetails.com/cve/CVE-2019-11072/

@76328
Copy link

@76328 76328 commented on 32120d5 Dec 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(The website say:lighttpd before 1.4.54 has a signed integer overflow) Version 1.4.38 has a signed integer overflow?

@gstrauss
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@76328 it seems that you also had trouble reading https://www.cvedetails.com/cve/CVE-2019-11072/
Read the part after NOTE: The developer states ...

Please sign in to comment.