uri processing reject paths not starting with slash

https://github.com/warmcat/libwebsockets/issues/481

Return 403 Forbidden if we don't end up with a uri path starting with /

Signed-off-by: Andy Green <andy@warmcat.com>

diff --git a/lib/server.c b/lib/server.c
index 4b7078a..51dd427 100644 (file)
--- a/lib/server.c
+++ b/lib/server.c
@@ -291,6 +291,14 @@ lws_http_action(struct lws *wsi)
                        break;
                }
 
+       /* we insist on absolute paths */
+
+       if (uri_ptr[0] != '/') {
+               lws_return_http_status(wsi, HTTP_STATUS_FORBIDDEN, NULL);
+
+               goto bail_nuke_ah;
+       }
+
        /* HTTP header had a content length? */
 
        wsi->u.http.content_length = 0;

diff --git a/test-server/attack.sh b/test-server/attack.sh
index bd16000..f1a4e1b 100755 (executable)
--- a/test-server/attack.sh
+++ b/test-server/attack.sh
@@ -218,11 +218,18 @@ check
 echo
 echo "---- nonexistant file"
 rm -f /tmp/lwscap
-echo -e "GET nope HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
+echo -e "GET /nope HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
 check media
 check
 
 echo
+echo "---- relative uri path"
+rm -f /tmp/lwscap
+echo -e "GET nope HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
+check forbidden
+check
+
+echo
 echo "---- directory attack 1 (/../../../../etc/passwd should be /etc/passswd)"
 rm -f /tmp/lwscap
 echo -e "GET /../../../../etc/passwd HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap