#70 Wrong relative path handling leads to bypassing banned regex

v2.8
pending
nobody
None
5
2012-10-10
2010-09-21
No

In the method String::realPath relative path are also simplified in the query string part of the entire URL.
For example with an URL like
/index.php?id=1234&zz=../test.html
the method simplifies it as:
/test.html
As this simplified URL is used during bannedregexpurllist, they cannot detect potential attacks.

This bug enables an attacker to bypass all bannedregexpurllist patterns.

May I suggest to stop the analysis and rewriting of the URL as soon as the querystring begins ?

Here his a piece of code I used to temporary solve the bug:
void String::realPath()
{
...
for(unsigned int i = 0; i < l; i++ ) {
b=(*this)[i];
if( b=='?' || b == '=' || b == '&' ) //this is only found in a query string
{
strncpy(temp+offset,this->data()+i,this->length()-i); //copy the reminder of the URL to temp
offset+=this->length()-1+1; // Fix the offset according to the previous op
break;
}
...

Discussion

  • Aecio F. Neto

    Aecio F. Neto - 2012-09-21

    Can you send me a full patch of the changes you did, please?

    Regards.

     
  • Aecio F. Neto

    Aecio F. Neto - 2012-10-10
    • status: open --> pending
    • milestone: --> v2.8
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks