Update: SECURITY File extension check for trailing characters

This changes the file extension check in a way that it no longer ignores trailing characters. This significantly reduces the risk for false positives while matching. However this invalidates old setups with files like foo.xsl3. However I have never files like that in the wild. This is based on the patch privided by ePirat in ticket #2248. See: #2248
2025-01-03 14:56:34 -05:00 · 2016-03-27 17:45:13 +00:00 · 2016-03-27 17:45:13 +00:00 · c8f565b030
commit c8f565b030
parent 805084ccd1
2 changed files with 17 additions and 28 deletions
--- a/src/util.c
+++ b/src/util.c
@ -197,35 +197,23 @@ char *util_get_extension(const char *path) {
 }

 int util_check_valid_extension(const char *uri) {
-    int    ret = 0;
-    char    *p2;
+    const char    *p2;

-    if (uri) {
-        p2 = strrchr(uri, '.');
-        if (p2) {
-            p2++;
-            if (strncmp(p2, "xsl", strlen("xsl")) == 0) {
-                /* Build the full path for the request, concatenating the webroot from the config.
-                ** Here would be also a good time to prevent accesses like '../../../../etc/passwd' or somesuch.
-                */
-                ret = XSLT_CONTENT;
-            }
-            if (strncmp(p2, "htm", strlen("htm")) == 0) {
-                /* Build the full path for the request, concatenating the webroot from the config.
-                ** Here would be also a good time to prevent accesses like '../../../../etc/passwd' or somesuch.
-                */
-                ret = HTML_CONTENT;
-            }
-            if (strncmp(p2, "html", strlen("html")) == 0) {
-                /* Build the full path for the request, concatenating the webroot from the config.
-                ** Here would be also a good time to prevent accesses like '../../../../etc/passwd' or somesuch.
-                */
-                ret = HTML_CONTENT;
-            }
+    if (!uri)
+        return UNKNOWN_CONTENT;

-        }
+    p2 = strrchr(uri, '.');
+    if (!p2)
+        return UNKNOWN_CONTENT;
+    p2++;
+
+    if (strcmp(p2, "xsl") == 0 || strcmp(p2, "xslt") == 0) {
+        return XSLT_CONTENT;
+    } else if (strcmp(p2, "htm") == 0 || strcmp(p2, "html") == 0) {
+        return HTML_CONTENT;
    }
-    return ret;
+
+    return UNKNOWN_CONTENT;
 }

 static int hex(char c)
--- a/src/util.h
+++ b/src/util.h
@ -17,8 +17,9 @@
 /* for FILE* */
 #include <stdio.h>

-#define XSLT_CONTENT 1
-#define HTML_CONTENT 2
+#define UNKNOWN_CONTENT 0
+#define XSLT_CONTENT    1
+#define HTML_CONTENT    2

 #define READ_ENTIRE_HEADER 1
 #define READ_LINE 0