Menu
▾
▴
#70 Wrong relative path handling leads to bypassing banned regex
In the method String::realPath relative path are also simplified in the query string part of the entire URL.
For example with an URL like
/index.php?id=1234&zz=../test.html
the method simplifies it as:
/test.html
As this simplified URL is used during bannedregexpurllist, they cannot detect potential attacks.
This bug enables an attacker to bypass all bannedregexpurllist patterns.
May I suggest to stop the analysis and rewriting of the URL as soon as the querystring begins ?
Here his a piece of code I used to temporary solve the bug:
void String::realPath()
{
...
for(unsigned int i = 0; i < l; i++ ) {
b=(*this)[i];
if( b=='?' || b == '=' || b == '&' ) //this is only found in a query string
{
strncpy(temp+offset,this->data()+i,this->length()-i); //copy the reminder of the URL to temp
offset+=this->length()-1+1; // Fix the offset according to the previous op
break;
}
...
Can you send me a full patch of the changes you did, please?
Regards.