fixed to correctly sanitize the input string in the built-in HTTP ser…

…ver which led a number of security vulnerabilities. #30
mikaku · Nov 21, 2013 · ff80441 · ff80441
1 parent 4cad2ed
commit ff80441
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 2 deletions.
diff --git a/Changes b/Changes
@@ -1,3 +1,9 @@
+3.3.1  - 21-Nov-2013
+====================
+- Fixed to correctly sanitize the input string in the built-in HTTP server
+  which led a number of security vulnerabilities. [#30]
+
+
 3.3.0  - 12-Aug-2013
 ====================
 - Added a complete statistical Wowza Media Server graph.

diff --git a/lib/HTTPServer.pm b/lib/HTTPServer.pm
@@ -148,6 +148,7 @@ sub handle_request {
 	my $target;
 	my $target_cgi;
 	my @data;
+	my $OK_CHARS='-a-zA-Z0-9_./';	# a restrictive list of valid chars
 
 	return if fork();	# parent returns
 
@@ -192,8 +193,12 @@ sub handle_request {
 	}
 	($mimetype) = ($target =~ m/.*\.(html|cgi|png)$/);
 
-	$target =~ s/^\///;		# removes leading slash
-	$target_cgi =~ s/^\///;		# removes leading slash
+	$target =~ s/^\/*//;		# removes leading slashes
+	$target_cgi =~ s/^\/*//;	# removes leading slashes
+
+	$target =~ s/[^$OK_CHARS]/_/go;		# only $OK_CHARS are allowed
+	$target_cgi =~ s/[^$OK_CHARS]/_/go;	# only $OK_CHARS are allowed
+
 	if($target_cgi eq "monitorix.cgi") {
 		chdir("cgi");
 		open(EXEC, "./$target_cgi |");