1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798 |
- Description: CVE-2015-1419: config option deny_file is not handled correctly
- Author: Marcus Meissner <meissner@suse.com>
- Origin: https://bugzilla.novell.com/show_bug.cgi?id=CVE-2015-1419
- Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776922
- Last-Update: 2015-02-24
- ---
- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
- --- a/ls.c
- +++ b/ls.c
- @@ -7,6 +7,7 @@
- * Would you believe, code to handle directory listing.
- */
-
- +#include <stdlib.h>
- #include "ls.h"
- #include "access.h"
- #include "defs.h"
- @@ -243,11 +244,42 @@ vsf_filename_passes_filter(const struct
- struct mystr temp_str = INIT_MYSTR;
- struct mystr brace_list_str = INIT_MYSTR;
- struct mystr new_filter_str = INIT_MYSTR;
- + struct mystr normalize_filename_str = INIT_MYSTR;
- + const char *normname;
- + const char *path;
- int ret = 0;
- char last_token = 0;
- int must_match_at_current_pos = 1;
- +
- str_copy(&filter_remain_str, p_filter_str);
- - str_copy(&name_remain_str, p_filename_str);
- +
- + /* normalize filepath */
- + path = str_strdup(p_filename_str);
- + normname = realpath(path, NULL);
- + if (normname == NULL)
- + goto out;
- + str_alloc_text(&normalize_filename_str, normname);
- +
- + if (!str_isempty (&filter_remain_str) && !str_isempty(&normalize_filename_str)) {
- + if (str_get_char_at(p_filter_str, 0) == '/') {
- + if (str_get_char_at(&normalize_filename_str, 0) != '/') {
- + str_getcwd (&name_remain_str);
- +
- + if (str_getlen(&name_remain_str) > 1) /* cwd != root dir */
- + str_append_char (&name_remain_str, '/');
- +
- + str_append_str (&name_remain_str, &normalize_filename_str);
- + }
- + else
- + str_copy (&name_remain_str, &normalize_filename_str);
- + } else {
- + if (str_get_char_at(p_filter_str, 0) != '{')
- + str_basename (&name_remain_str, &normalize_filename_str);
- + else
- + str_copy (&name_remain_str, &normalize_filename_str);
- + }
- + } else
- + str_copy(&name_remain_str, &normalize_filename_str);
-
- while (!str_isempty(&filter_remain_str) && *iters < VSFTP_MATCHITERS_MAX)
- {
- @@ -360,6 +392,9 @@ vsf_filename_passes_filter(const struct
- ret = 0;
- }
- out:
- + free(normname);
- + free(path);
- + str_free(&normalize_filename_str);
- str_free(&filter_remain_str);
- str_free(&name_remain_str);
- str_free(&temp_str);
- --- a/str.c
- +++ b/str.c
- @@ -711,3 +711,14 @@ str_replace_unprintable(struct mystr* p_
- }
- }
-
- +void
- +str_basename (struct mystr* d_str, const struct mystr* path)
- +{
- + static struct mystr tmp;
- +
- + str_copy (&tmp, path);
- + str_split_char_reverse(&tmp, d_str, '/');
- +
- + if (str_isempty(d_str))
- + str_copy (d_str, path);
- +}
- --- a/str.h
- +++ b/str.h
- @@ -100,6 +100,7 @@ void str_replace_unprintable(struct myst
- int str_atoi(const struct mystr* p_str);
- filesize_t str_a_to_filesize_t(const struct mystr* p_str);
- unsigned int str_octal_to_uint(const struct mystr* p_str);
- +void str_basename (struct mystr* d_str, const struct mystr* path);
-
- /* PURPOSE: Extract a line of text (delimited by \n or EOF) from a string
- * buffer, starting at character position 'p_pos'. The extracted line will
|