From c8f565b030532fa653f5a15f44626177bb69dfb7 Mon Sep 17 00:00:00 2001
From: Philipp Schafft <lion@lion.leolix.org>
Date: Sun, 27 Mar 2016 17:45:13 +0000
Subject: [PATCH] Update: SECURITY File extension check for trailing characters

This changes the file extension check in a way that it no longer
ignores trailing characters. This significantly reduces the risk
for false positives while matching. However this invalidates old
setups with files like foo.xsl3. However I have never files like
that in the wild.

This is based on the patch privided by ePirat in ticket #2248.

See: #2248
---
 src/util.c | 40 ++++++++++++++--------------------------
 src/util.h |  5 +++--
 2 files changed, 17 insertions(+), 28 deletions(-)

diff --git a/src/util.c b/src/util.c
index bd62692f..d9f62128 100644
--- a/src/util.c
+++ b/src/util.c
@@ -197,35 +197,23 @@ char *util_get_extension(const char *path) {
 }
 
 int util_check_valid_extension(const char *uri) {
-    int    ret = 0;
-    char    *p2;
+    const char    *p2;
 
-    if (uri) {
-        p2 = strrchr(uri, '.');
-        if (p2) {
-            p2++;
-            if (strncmp(p2, "xsl", strlen("xsl")) == 0) {
-                /* Build the full path for the request, concatenating the webroot from the config.
-                ** Here would be also a good time to prevent accesses like '../../../../etc/passwd' or somesuch.
-                */
-                ret = XSLT_CONTENT;
-            }
-            if (strncmp(p2, "htm", strlen("htm")) == 0) {
-                /* Build the full path for the request, concatenating the webroot from the config.
-                ** Here would be also a good time to prevent accesses like '../../../../etc/passwd' or somesuch.
-                */
-                ret = HTML_CONTENT;
-            }
-            if (strncmp(p2, "html", strlen("html")) == 0) {
-                /* Build the full path for the request, concatenating the webroot from the config.
-                ** Here would be also a good time to prevent accesses like '../../../../etc/passwd' or somesuch.
-                */
-                ret = HTML_CONTENT;
-            }
+    if (!uri)
+        return UNKNOWN_CONTENT;
 
-        }
+    p2 = strrchr(uri, '.');
+    if (!p2)
+        return UNKNOWN_CONTENT;
+    p2++;
+
+    if (strcmp(p2, "xsl") == 0 || strcmp(p2, "xslt") == 0) {
+        return XSLT_CONTENT;
+    } else if (strcmp(p2, "htm") == 0 || strcmp(p2, "html") == 0) {
+        return HTML_CONTENT;
     }
-    return ret;
+
+    return UNKNOWN_CONTENT;
 }
 
 static int hex(char c)
diff --git a/src/util.h b/src/util.h
index 2cb619e4..af21c1d6 100644
--- a/src/util.h
+++ b/src/util.h
@@ -17,8 +17,9 @@
 /* for FILE* */
 #include <stdio.h>
 
-#define XSLT_CONTENT 1
-#define HTML_CONTENT 2
+#define UNKNOWN_CONTENT 0
+#define XSLT_CONTENT    1
+#define HTML_CONTENT    2
 
 #define READ_ENTIRE_HEADER 1
 #define READ_LINE 0