http: fix traversal security issue

nodogsplash · Jul 22, 2023 · a745a5d · a745a5d
1 parent 378a80d
commit a745a5d
Showing 1 changed file with 13 additions and 11 deletions.
diff --git a/src/http_microhttpd.c b/src/http_microhttpd.c
@@ -1156,36 +1156,38 @@ static int serve_file(struct MHD_Connection *connection, t_client *client, const
 	struct stat stat_buf;
 	s_config *config = config_get_config();
 	struct MHD_Response *response;
-	char filename[PATH_MAX];
+	char path[PATH_MAX+1];
 	int ret = MHD_NO;
-	const char *mimetype = NULL;
-	off_t size;
 
-	snprintf(filename, PATH_MAX, "%s/%s", config->webroot, url);
+	if (strstr(url, "../") != NULL) {
+		debug(LOG_WARNING, "Probable Path Traversal Attack Detected - %s", url);
+		return send_error(connection, 403);
+	}
+
+	snprintf(path, PATH_MAX, "%s/%s", config->webroot, url);
 
 	/* check if file exists and is not a directory */
-	ret = stat(filename, &stat_buf);
-	if (ret) {
-		/* stat failed */
+	ret = stat(path, &stat_buf);
+	if (ret)
 		return send_error(connection, 404);
-	}
 
 	if (!S_ISREG(stat_buf.st_mode)) {
+		// path does not point to a regular file
 #ifdef S_ISLNK
 		/* ignore links */
 		if (!S_ISLNK(stat_buf.st_mode))
 #endif /* S_ISLNK */
 		return send_error(connection, 404);
 	}
 
-	int fd = open(filename, O_RDONLY);
+	int fd = open(path, O_RDONLY);
 	if (fd < 0)
 		return send_error(connection, 404);
 
-	mimetype = lookup_mimetype(filename);
+	const char *mimetype = lookup_mimetype(path);
 
 	/* serving file and creating response */
-	size = lseek(fd, 0, SEEK_END);
+	off_t size = lseek(fd, 0, SEEK_END);
 	if (size < 0)
 		return send_error(connection, 404);