Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD)

Outch! Again!
The path need to start with / or it allows reference path, that I can't cut off, at least in other module. But the path comes from URI, that always start with /. Need to add this after $path =~ s/\\+/\//g ;.

  if ($path !~ /^\// ) { $path = "/$path" ;}
[download]

Note that this bug only exist using the normalize_path() function directly, not if paste from the HTTP protocol, even for a fake:

GET ../etc/passwd HTTP/1.0
[download]

Graciliano M. P.
"The creativity is the expression of the liberty".

Comment on Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD) Select or Download Code

Replies are listed 'Best First'.
Re: Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD) by tachyon (Chancellor) on Feb 27, 2003 at 22:42 UTC
Hack this. sub normalize_path { my ( $path ) = @_ ; return '' unless $path; # ensure that multiple %HH encoded stuff is decoded completely (know +n hack) 1 while $path =~ s/%([0-9a-fA-F]{2})/chr hex $1/ge; # get rid of those damn back slashes $path =~ s!\\+!/!g; # I don't see the need for many more chars than these # as the stated purpose is docs, not cgi ?;&= are # pointless, espacially as I just destroyed the query # string (potentially) if these are encoded with %HH $path =~ s![^\w \Q-?&;:,=./#\E]!!g; # fix ../ we don't have any \ left to fool us $path =~ s!\.\.?/!!g; # trim leading whitespace $path =~ s/^\s+//g; # allow single spaces for say Documents and Settings $path =~ s/ +/ /g; return $path ; } [download] cheers tachyon s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print	[reply] [d/l]
Re: Re: Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD) by IlyaM (Parson) on Feb 28, 2003 at 09:42 UTC
Hack this. Piece of cake: `my $up_dir = '.../...//'; my $path = ($up_dir x 10) . 'etc/passwd'; print normalize_path($path), "\n";` [download] Prints: `../../../../../../../../../../etc/passwd` [download] -- Ilya Martynov, ilya@iponweb.net CTO IPonWEB (UK) Ltd Quality Perl Programming and Unix Support UK managed @ offshore prices - http://www.iponweb.net Personal website - http://martynov.org	[reply] [d/l] [select]
Re: Re: Re: Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD) by tachyon (Chancellor) on Feb 28, 2003 at 11:10 UTC
Cute! ++ of course. I find it fascinating how you can use ingenuity to spoof these types of filters. Here is one that provides more utility and of course patches your hack. sub ilya_proof_path { my ( $path ) = @_ ; return '' unless $path; my ($type, $domain, $q_string ); ( $path, $q_string ) = split '\?', $path; $q_string =~ tr/\0//d if $q_string; 1 while $path =~ s/%([0-9a-fA-F]{2})/chr hex $1/ge; $path =~ s!\\+!/!g; $path =~ s![^\w \Q-:./#\E]!!g; $path =~ s!\.\.*/!!g; $path =~ s/^\s+//g; $path =~ s/ +/ /g; $type = $1 if $path =~ s!^(\w+):/+!!; $domain = $1 if $type and $type =~ m/(?:https?\|ftps?)/ and $path =~ +s!^([\w\.-]+)/!!; # tolerate win32 drive letters as a pseudo domain $domain = $1 if $type and $type =~ m/file/ and $path =~ s!^([A-Z]:)/ +!!; return $path, $type, $domain, $q_string ; } [download] cheers tachyon s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print	[reply] [d/l]
Re: Re: Re: Re: Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD) by IlyaM (Parson) on Feb 28, 2003 at 12:37 UTC
Re: How Internet is a mess. (Playing with HTTPD) by Abigail-II (Bishop) on Feb 28, 2003 at 12:52 UTC
Some notes below your chosen depth have not been shown here
Re: Re: Re: Re: Re: Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD) by tachyon (Chancellor) on Feb 28, 2003 at 12:48 UTC