fixed to correctly sanitize the input string in the built-in HTTP server which led a number of security vulnerabilities. #30

2013-11-21 10:08:19 +01:00 · 2013-11-21 10:08:19 +01:00 · ff80441be7
parent 4cad2ed428
commit ff80441be7
2 changed files with 13 additions and 2 deletions
--- a/6
+++ b/6
@ -1,3 +1,9 @@
+3.3.1  - 21-Nov-2013
+====================
+- Fixed to correctly sanitize the input string in the built-in HTTP server
+  which led a number of security vulnerabilities. [#30]
+
+
 3.3.0  - 12-Aug-2013
 ====================
 - Added a complete statistical Wowza Media Server graph.
--- a/lib/HTTPServer.pm
+++ b/lib/HTTPServer.pm
@ -148,6 +148,7 @@ sub handle_request {
 	my $target;
 	my $target_cgi;
 	my @data;
+	my $OK_CHARS='-a-zA-Z0-9_./';	# a restrictive list of valid chars

 	return if fork();	# parent returns

@ -192,8 +193,12 @@ sub handle_request {
 	}
 	($mimetype) = ($target =~ m/.*\.(html|cgi|png)$/);

-	$target =~ s/^\///;		# removes leading slash
-	$target_cgi =~ s/^\///;		# removes leading slash
+	$target =~ s/^\/*//;		# removes leading slashes
+	$target_cgi =~ s/^\/*//;	# removes leading slashes
+
+	$target =~ s/[^$OK_CHARS]/_/go;		# only $OK_CHARS are allowed
+	$target_cgi =~ s/[^$OK_CHARS]/_/go;	# only $OK_CHARS are allowed
+
 	if($target_cgi eq "monitorix.cgi") {
 		chdir("cgi");
 		open(EXEC, "./$target_cgi |");