diff options
author | Glenn Strauss <gstrauss@gluelogic.com> | 2021-02-01 04:01:12 -0500 |
---|---|---|
committer | Glenn Strauss <gstrauss@gluelogic.com> | 2021-02-01 04:11:38 -0500 |
commit | 649829f90688e780f1df780035a630d3fc9faa1b (patch) | |
tree | bdfa159ac5fdc7f2df73929b0e86a08b989a82bb | |
parent | b80d287df7f0bcea62434e270e52af71fa5ac789 (diff) | |
download | lighttpd-git-649829f90688e780f1df780035a630d3fc9faa1b.tar.gz |
[mod_cgi] fix assert if empty X-Sendfile path (fixes #3062)
(thx axe34)
Please note that this would not have crashed "x-sendfile-docroot"
were set to restrict the locations of files that can be sent via
X-Sendfile. If users are untrusted, "x-sendfile" should not be
enable without also configuring "x-sendfile-docroot"
x-ref:
"Server Aborted due to Malicious Data sent through CGI Sendfile"
https://redmine.lighttpd.net/issues/3062
-rw-r--r-- | src/http-header-glue.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/src/http-header-glue.c b/src/http-header-glue.c index 2ed9d45b..6531843c 100644 --- a/src/http-header-glue.c +++ b/src/http-header-glue.c @@ -737,6 +737,10 @@ static void http_response_xsendfile (request_st * const r, buffer * const path, if (r->conf.force_lowercase_filenames) { buffer_to_lower(path); } + if (buffer_string_is_empty(path)) { + r->http_status = 502; + valid = 0; + } /* check that path is under xdocroot(s) * - xdocroot should have trailing slash appended at config time @@ -815,6 +819,10 @@ static void http_response_xsendfile2(request_st * const r, const buffer * const if (r->conf.force_lowercase_filenames) { buffer_to_lower(b); } + if (buffer_string_is_empty(b)) { + r->http_status = 502; + break; + } if (xdocroot) { size_t i, xlen = buffer_string_length(b); for (i = 0; i < xdocroot->used; ++i) { |