Backport r87715 from trunk

svn path=/branches/mono-1-2-5/mcs/; revision=87716
mono · Oct 17, 2007 · 89e6d75 · 89e6d75
1 parent ef21dfa
commit 89e6d75
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 1 deletion.
diff --git a/mcs/class/System.Web/System.Web/ChangeLog b/mcs/class/System.Web/System.Web/ChangeLog
@@ -1,3 +1,17 @@
+2007-10-17  Marek Habersack  <mhabersack@novell.com>
+
+	* StaticFileHandler.cs: fixed an bug with Mono running under
+	Windows operating systems which caused XSP to return source of the
+	requested page if the file name used in the request ended in any
+	number of spaces or dots. The problem lies in the way the Win32
+	subsystem treats such file names - it ignores the trailing
+	characters and allows the calling application to open a file on
+	disk even when its name does not contain the trailing characters
+	used in the open request. Such file names may be supported by the
+	underlying filesystem (e.g. NTFS) but they are not supported by
+	the I/O Win32 subsystem. The security issue is reported in
+	CVE security report CVE-2007-5473. Fixes bug #332401
+
 2007-07-22  Vladimir Krasnov  <vladimirk@mainsoft.com>
 
 	* HttpServerUtility.cs: fixed Execute, SetCurrentExePath should be 

diff --git a/mcs/class/System.Web/System.Web/StaticFileHandler.cs b/mcs/class/System.Web/System.Web/StaticFileHandler.cs
@@ -31,18 +31,38 @@
 using System;
 using System.Globalization;
 using System.IO;
+using System.Web.Util;
 
 namespace System.Web
 {
 	class StaticFileHandler : IHttpHandler
 	{
+		static bool runningWindows = RunningOnWindows ();
+
+		static bool RunningOnWindows ()
+		{
+			int pid = (int)Environment.OSVersion.Platform;
+			return (pid != 4 && pid != 128);
+		}
+
+		static bool ValidFileName (string fileName)
+		{
+			if (!runningWindows)
+				return true;
+
+			if (fileName == null || fileName.Length == 0)
+				return false;
+
+			return (!StrUtils.EndsWith (fileName, " ") && !StrUtils.EndsWith (fileName, "."));
+		}
+
 		public void ProcessRequest (HttpContext context)
 		{
 			HttpRequest request = context.Request;
 			HttpResponse response = context.Response;
 			string fileName = request.PhysicalPath;
 			FileInfo fi = new FileInfo (fileName);
-			if (!fi.Exists)
+			if (!fi.Exists || !ValidFileName (fileName))
 				throw new HttpException (404, "File '" + request.FilePath + "' not found.");
 
 			if ((fi.Attributes & FileAttributes.Directory) != 0) {