Re: How Internet is a mess. (Playing with HTTPD)

And they can't access things outside the DOCUMENT_ROOT.

Are you sure?

print normalize_path( "\\.\\./etc/passwd" );
__DATA__
../etc/passwd
[download]

Hmmm, looks outside the document root to me. You also have a bug in your $symb_ok regex string. You go on to try to convert \\ to / but you have stripped them out with the $path =~ s/[^$symb_ok]//gs; regex. If you fix that problem to allow windows \ paths you need to be really careful otherwise...

cheers

tachyon

s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

Comment on Re: How Internet is a mess. (Playing with HTTPD) Select or Download Code

Replies are listed 'Best First'.
Re: Re: How Internet is a mess. (Playing with HTTPD) by gmpassos (Priest) on Feb 27, 2003 at 21:51 UTC
Wow! You found a bug! It was in the $symb_ok and $path =~ s/^$symb_ok//gs ; that I have added in the last week. The right it: my $symb_ok = q`!#$%&'()+,-./:;=@[\]^{}~€ŸÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖÙÚÛ +ÜÝàáâãäåæçèéêëìíîïðñòóôõöùúûüýÿ`; $path =~ s/[^\w\s\Q$symb_ok\E]//gs ; [download] I cant put \Q\E inside the variable, doesn't work like we want! I have updated the main nood, take a look. Graciliano M. P. "The creativity is the expression of the liberty".	[reply] [d/l]
Re: Re: Re: How Internet is a mess. (Playing with HTTPD) by tachyon (Chancellor) on Feb 27, 2003 at 22:04 UTC
So now the hack to get outside the document root is just: `print normalize_path( "../etc/passwd" ); __DATA__ ../etc/passwd` [download] cheers tachyon s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print	[reply] [d/l]
Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD) by gmpassos (Priest) on Feb 27, 2003 at 22:16 UTC
Outch! Again! The path need to start with / or it allows reference path, that I can't cut off, at least in other module. But the path comes from URI, that always start with /. Need to add this after $path =~ s/\\+/\//g ;. `if ($path !~ /^\// ) { $path = "/$path" ;}` [download] Note that this bug only exist using the normalize_path() function directly, not if paste from the HTTP protocol, even for a fake: `GET ../etc/passwd HTTP/1.0` [download] Graciliano M. P. "The creativity is the expression of the liberty".	[reply] [d/l] [select]
Re: Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD) by tachyon (Chancellor) on Feb 27, 2003 at 22:42 UTC
Re: Re: Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD) by IlyaM (Parson) on Feb 28, 2003 at 09:42 UTC
Some notes below your chosen depth have not been shown here
Re: Re: Re: How Internet is a mess. (Playing with HTTPD) by perrin (Chancellor) on Feb 28, 2003 at 01:42 UTC
Now do you see why people don't just go running around writing their own HTTP servers? By the time you're done writing it and finding every possible security problem, you could have installed Apache (or any of several other open source servers) a few hundred times. Nothing personal, but the "it's too hard to install so I wrote my own" argument just doesn't hold up.	[reply]
Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD) by gmpassos (Priest) on Feb 28, 2003 at 04:19 UTC
I respect your point of view. But I'm not doing this for me! And I'm not doing all the HTTP server, I'm using the module HTTP::Daemon. That doesn't filter the malicious querys. After test the filter of the querys I will send it to the author of HTTP::Daemon, to insert it in the next release, and no one will need to make it again! This is how Perl works. ;-P Note that HPL::HTTPD is not only a HTTP server. It creates a CGI enverioment to run the HPL docs. The code for the http connection is the smallest. But one thing I know. I have learned a lot just posting this node. And this has a big value for me. Graciliano M. P. "The creativity is the expression of the liberty".	[reply]
Re: Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD) by perrin (Chancellor) on Feb 28, 2003 at 16:32 UTC