in reply to Re: How Internet is a mess. (Playing with HTTPD)
in thread How Internet is a mess. (Playing with HTTPD)

Wow! You found a bug! It was in the $symb_ok and $path =~ s/^$symb_ok//gs ; that I have added in the last week. The right it: 
  my $symb_ok = q`!#$%&'()+,-./:;=@[\]^{}~€ŸÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖÙÚÛ
+ÜÝàáâãäåæçèéêëìíîïðñòóôõöùúûüýÿ`;
  
  $path =~ s/[^\w\s\Q$symb_ok\E]//gs ;

[download]
I cant put \Q\E inside the variable, doesn't work like we want! I have updated the main nood, take a look.

Graciliano M. P.
"The creativity is the expression of the liberty".

Replies are listed 'Best First'.
Re: Re: Re: How Internet is a mess. (Playing with HTTPD)
by tachyon (Chancellor) on Feb 27, 2003 at 22:04 UTC

    So now the hack to get outside the document root is just: 

    print normalize_path( "../etc/passwd" );
__DATA__
../etc/passwd

    [download]

    cheers

    tachyon

    s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

[reply]
[d/l]
      Outch! Again!
      The path need to start with / or it allows reference path, that I can't cut off, at least in other module. But the path comes from URI, that always start with /. Need to add this after $path =~ s/\\+/\//g ;. 
        if ($path !~ /^\// ) { $path = "/$path" ;}

      [download]
      Note that this bug only exist using the normalize_path() function directly, not if paste from the HTTP protocol, even for a fake: 
      GET ../etc/passwd HTTP/1.0

      [download]

      Graciliano M. P.
      "The creativity is the expression of the liberty".

[reply]
[d/l]
[select]

        Hack this. 

        sub normalize_path {
  my ( $path ) = @_ ;
  return '' unless $path;
  # ensure that multiple %HH encoded stuff is decoded completely (know
+n hack)
  1 while $path =~ s/%([0-9a-fA-F]{2})/chr hex $1/ge;
  # get rid of those damn back slashes
  $path =~ s!\\+!/!g;
  # I don't see the need for many more chars than these
  # as the stated purpose is docs, not cgi ?;&= are
  # pointless, espacially as I just destroyed the query
  # string (potentially) if these are encoded with %HH
  $path =~ s![^\w \Q-?&;:,=./#\E]!!g;
  # fix ../ we don't have any \ left to fool us
  $path =~ s!\.\.?/!!g;
  # trim leading whitespace
  $path =~ s/^\s+//g;
  # allow single spaces for say Documents and Settings
  $path =~ s/ +/ /g;
  return  $path ;
}

        [download]

        cheers

        tachyon

        s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

[reply]
[d/l]
Re: Re: Re: How Internet is a mess. (Playing with HTTPD)
by perrin (Chancellor) on Feb 28, 2003 at 01:42 UTC
    Now do you see why people don't just go running around writing their own HTTP servers? By the time you're done writing it and finding every possible security problem, you could have installed Apache (or any of several other open source servers) a few hundred times. Nothing personal, but the "it's too hard to install so I wrote my own" argument just doesn't hold up.
[reply]
      I respect your point of view. But I'm not doing this for me!

      And I'm not doing all the HTTP server, I'm using the module HTTP::Daemon. That doesn't filter the malicious querys. After test the filter of the querys I will send it to the author of HTTP::Daemon, to insert it in the next release, and no one will need to make it again! This is how Perl works. ;-P

      Note that HPL::HTTPD is not only a HTTP server. It creates a CGI enverioment to run the HPL docs. The code for the http connection is the smallest.

      But one thing I know. I have learned a lot just posting this node. And this has a big value for me.

      Graciliano M. P.
      "The creativity is the expression of the liberty".

[reply]
        Glad to hear you'll be sending a patch for HTTP::Daemon. That's a good thing for all of us.
[reply]

In Section Meditations