Merge pull request #1679 from ffurano/master

Allow usage of full URI in the request
xrootd · Apr 13, 2022 · 81e57b5 · 81e57b5
2 parents 57b360f + f25b6e8
commit 81e57b5
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 2 deletions.
diff --git a/src/XrdHttp/XrdHttpReq.cc b/src/XrdHttp/XrdHttpReq.cc
@@ -883,15 +883,47 @@ void XrdHttpReq::appendOpaque(XrdOucString &s, XrdSecEntity *secent, char *hash,
 
 }
 
-// Extracts the opaque info from the given url
 
+// Sanitize the resource from the http[s]://[host]/ questionable prefix
+// https://github.com/xrootd/xrootd/issues/1675
+void XrdHttpReq::sanitizeResourcePfx() {
+
+  if (resource.beginswith("https://")) {
+    // Find the slash that follows the hostname, and keep it
+    int p = resource.find('/', 8);
+    resource.erasefromstart(p);
+    return;
+  }
+
+  if (resource.beginswith("http://")) {
+    // Find the slash that follows the hostname, and keep it
+    int p = resource.find('/', 7);
+    resource.erasefromstart(p);
+    return;
+  }
+}
+
+
+// Parse a resource line:
+// - sanitize
+// - extracts the opaque info from the given url
+// - sanitize the resource from http[s]://[host]/ questionable prefix
 void XrdHttpReq::parseResource(char *res) {
+
+
+
+
   // Look for the first '?'
   char *p = strchr(res, '?');
 
   // Not found, then it's just a filename
   if (!p) {
     resource.assign(res, 0);
+
+    // Some poor client implementations may inject a http[s]://[host]/ prefix
+    // to the resource string. Here we choose to ignore it as a protection measure
+    sanitizeResourcePfx();  
+
     char *buf = unquote((char *)resource.c_str());
     resource.assign(buf, 0);
     resourceplusopaque.assign(buf, 0);
@@ -912,7 +944,11 @@ void XrdHttpReq::parseResource(char *res) {
 
   int cnt = p - res; // Number of chars to copy
   resource.assign(res, 0, cnt - 1);
-
+
+  // Some poor client implementations may inject a http[s]://[host]/ prefix
+  // to the resource string. Here we choose to ignore it as a protection measure
+  sanitizeResourcePfx();  
+
   char *buf = unquote((char *)resource.c_str());
   resource.assign(buf, 0);
   free(buf);

diff --git a/src/XrdHttp/XrdHttpReq.hh b/src/XrdHttp/XrdHttpReq.hh
@@ -113,6 +113,9 @@ private:
   void parseResource(char *url);
   // Map an XRootD error code to an appropriate HTTP status code and message
   void mapXrdErrorToHttpStatus();
+
+  // Sanitize the resource from http[s]://[host]/ questionable prefix
+  void sanitizeResourcePfx();
 public:
 
   XrdHttpReq(XrdHttpProtocol *protinstance) : keepalive(true) {

diff --git a/src/XrdOss/XrdOssCreate.cc b/src/XrdOss/XrdOssCreate.cc
@@ -116,6 +116,7 @@ int XrdOssSys::Create(const char *tident, const char *path, mode_t access_mode,
     EPNAME("Create")
     const int AMode = S_IRWXU|S_IRWXG|S_IROTH|S_IXOTH; // 775
     char  local_path[MAXPATHLEN+1], *p, pc;
+    local_path[0] = '\0';
     unsigned long long remotefs;
     int isLink = 0, Missing = 1, retc = 0, datfd;
     XrdOssCreateInfo crInfo(local_path, path, access_mode, Opts);