Severe directory traversal vulnerability (dotdotslash)

[cristiulian]

It looks like you can easily attack a server written with this library via a directory traversal method.

The %2e%2e%5c character is equivalent to .. so by forging a special url, you can easily request any file on current drive (windows) or anywhere in the system (linux). There are some other equivalent characters too, I've only tested with the one above.
The is_valid_path function only tests against "..", but the list should be way longer.
You can traverse back from a folder (mount point) all the way to any folder and request files such as win.ini or /etc/passwd, expecially when you use the library from a service with elevated access.
This issue is extremely severe in my opinion, is there any way to prevent this behaviour?

[yhirose]

@cristiulian thanks for the report, but I am not able to reproduce it. I checked with 'example/simplesvr.cc' and curl.

Here is the result:

The cpp-httplib server decodes the percent encoded codes to '..', but Server::is_valid_path returns false if the path tries to see above the root.

cpp-httplib/httplib.h

Lines 2429 to 2431 in 82a90a2

	} else if (!path.compare(beg, len, "..")) {
	if (level == 0) { return false; }
	level--;

Did you really confirm that the problem happened on your environment? If so, could you provide the smallest possible code example that can reproduce the problem on your machine when confirming the problem?

Thanks for your help.

[cristiulian]

I've compiled simplesrv.cc and I can confirm it is happening on my environment (WIN 10, VS 2017 and VS 2022). I have used the %2e%2e%5c sequence, although the list of possible sequences is much longer, I can provide it if you want to. For some reason, some of them make it through the is_valid_path ".." check, I suppose they're not converted to "..".
Your example above uses a different sequence and indeed it works as expected and the request is rejected.

curl -kI "http://localhost:8080/%2e%2e%5c/httplib.h"

[yhirose]

@cristiulian I confirmed this issue on my Windows machine and fixed it. Thanks for your report!

[cschreib-ibex]

Hello. Can you confirm this affects Windows only? The release notes didn't specify. I am not able to exploit this on a Linux build.

[yhirose]

Yes, I confirmed that it happened only on Windows.