Permalink
Browse files

Do not allow backslashes in path (security).

On Windows, it is possible to access arbitrary files by crafting
a GET with unescaped \, like GET /..\..\..\..\..\windows\win.ini

http://www.couchbase.com/issues/browse/MB-7390
  • Loading branch information...
1 parent 20f2f00 commit 977f91c7a657b9af0206fc99de62240662935792 @melkote melkote committed Dec 14, 2012
Showing with 9 additions and 2 deletions.
  1. +9 −2 src/mochiweb_util.erl
View
@@ -68,11 +68,17 @@ partition2(_S, _Sep) ->
%% @spec safe_relative_path(string()) -> string() | undefined
%% @doc Return the reduced version of a relative path or undefined if it
%% is not safe. safe relative paths can be joined with an absolute path
-%% and will result in a subdirectory of the absolute path.
+%% and will result in a subdirectory of the absolute path. Safe paths
+%% never contain a backslash character.
safe_relative_path("/" ++ _) ->
undefined;
safe_relative_path(P) ->
- safe_relative_path(P, []).
+ case string:chr(P, $\\) of
+ 0 ->
+ safe_relative_path(P, []);
+ _ ->
+ undefined
+ end.
safe_relative_path("", Acc) ->
case Acc of
@@ -815,6 +821,7 @@ safe_relative_path_test() ->
undefined = safe_relative_path("../foo"),
undefined = safe_relative_path("foo/../.."),
undefined = safe_relative_path("foo//"),
+ undefined = safe_relative_path("foo\\bar"),
ok.
parse_qvalues_test() ->

0 comments on commit 977f91c

Please sign in to comment.