2 files changed, 35 insertions, 7 deletions
diff --git a/networking/ftpd.c b/networking/ftpd.c
index 7735b7233..8345ae67c 100644
--- a/networking/ftpd.c
+++ b/networking/ftpd.c
@@ -1223,11 +1223,26 @@ int ftpd_main(int argc UNUSED_PARAM, char **argv)
 #endif
        argv += optind;
        if (argv[0]) {
+                const char *basedir = argv[0];
 #if !BB_MMU
                G.root_fd = xopen("/", O_RDONLY | O_DIRECTORY);
                close_on_exec_on(G.root_fd);
 #endif
-                xchroot(argv[0]);
+                if (chroot(basedir) == 0)
+                        basedir = "/";
+#if !BB_MMU
+                else {
+                        close(G.root_fd);
+                        G.root_fd = -1;
+                }
+#endif
+                /*
+                 * If chroot failed, assume that we aren't root,
+                 * and at least chdir to the specified DIR
+                 * (older versions were dying with error message).
+                 * If chroot worked, move current dir to new "/":
+                 */
+                xchdir(basedir);
        }
 #if ENABLE_FEATURE_FTP_AUTHENTICATION
diff --git a/networking/httpd.c b/networking/httpd.c
index 00169c36d..ed15fd883 100644
--- a/networking/httpd.c
+++ b/networking/httpd.c
@@ -967,19 +967,30 @@ static void send_headers(int responseNum)
        }
 #endif
        if (responseNum == HTTP_MOVED_TEMPORARILY) {
-                len += sprintf(iobuf + len, "Location: %s/%s%s\r\n",
+                /* Responding to "GET /dir" with
+                 * "HTTP/1.0 302 Found" "Location: /dir/"
+                 * - IOW, asking them to repeat with a slash.
+                 * Here, overflow IS possible, can't use sprintf:
+                 * mkdir test
+                 * python -c 'print("get /test?" + ("x" * 8192))' | busybox httpd -i -h .
+                 */
+                len += snprintf(iobuf + len, IOBUF_SIZE-3 - len,
+                                "Location: %s/%s%s\r\n",
                                found_moved_temporarily,
                                (g_query ? "?" : ""),
                                (g_query ? g_query : ""));
+                if (len > IOBUF_SIZE-3)
+                        len = IOBUF_SIZE-3;
        }
 #if ENABLE_FEATURE_HTTPD_ERROR_PAGES
        if (error_page && access(error_page, R_OK) == 0) {
-                strcat(iobuf, "\r\n");
+                iobuf[len++] = '\r';
-                len += 2;
+                iobuf[len++] = '\n';
+                if (DEBUG) {
-                if (DEBUG)
+                        iobuf[len] = '\0';
                        fprintf(stderr, "headers: '%s'\n", iobuf);
+                }
                full_write(STDOUT_FILENO, iobuf, len);
                if (DEBUG)
                        fprintf(stderr, "writing error page: '%s'\n", error_page);
@@ -1021,8 +1032,10 @@ static void send_headers(int responseNum)
                                responseNum, responseString,
                                responseNum, responseString, infoString);
        }
-        if (DEBUG)
+        if (DEBUG) {
+                iobuf[len] = '\0';
                fprintf(stderr, "headers: '%s'\n", iobuf);
+        }
        if (full_write(STDOUT_FILENO, iobuf, len) != len) {
                if (verbose > 1)
                        bb_perror_msg("error");

diff --git a/networking/ftpd.c b/networking/ftpd.c index 7735b7233..8345ae67c 100644 --- a/networking/ftpd.c +++ b/networking/ftpd.c
@@ -1223,11 +1223,26 @@ int ftpd_main(int argc UNUSED_PARAM, char **argv)
1223	#endif	1223	#endif
1224	argv += optind;	1224	argv += optind;
1225	if (argv[0]) {	1225	if (argv[0]) {
		1226	const char *basedir = argv[0];
1226	#if !BB_MMU	1227	#if !BB_MMU
1227	G.root_fd = xopen("/", O_RDONLY \| O_DIRECTORY);	1228	G.root_fd = xopen("/", O_RDONLY \| O_DIRECTORY);
1228	close_on_exec_on(G.root_fd);	1229	close_on_exec_on(G.root_fd);
1229	#endif	1230	#endif
1230	xchroot(argv[0]);	1231	if (chroot(basedir) == 0)
		1232	basedir = "/";
		1233	#if !BB_MMU
		1234	else {
		1235	close(G.root_fd);
		1236	G.root_fd = -1;
		1237	}
		1238	#endif
		1239	/*
		1240	* If chroot failed, assume that we aren't root,
		1241	* and at least chdir to the specified DIR
		1242	* (older versions were dying with error message).
		1243	* If chroot worked, move current dir to new "/":
		1244	*/
		1245	xchdir(basedir);
1231	}	1246	}
1232		1247
1233	#if ENABLE_FEATURE_FTP_AUTHENTICATION	1248	#if ENABLE_FEATURE_FTP_AUTHENTICATION


diff --git a/networking/httpd.c b/networking/httpd.c index 00169c36d..ed15fd883 100644 --- a/networking/httpd.c +++ b/networking/httpd.c
@@ -967,19 +967,30 @@ static void send_headers(int responseNum)
967	}	967	}
968	#endif	968	#endif
969	if (responseNum == HTTP_MOVED_TEMPORARILY) {	969	if (responseNum == HTTP_MOVED_TEMPORARILY) {
970	len += sprintf(iobuf + len, "Location: %s/%s%s\r\n",	970	/* Responding to "GET /dir" with
		971	* "HTTP/1.0 302 Found" "Location: /dir/"
		972	* - IOW, asking them to repeat with a slash.
		973	* Here, overflow IS possible, can't use sprintf:
		974	* mkdir test
		975	* python -c 'print("get /test?" + ("x" * 8192))' \| busybox httpd -i -h .
		976	*/
		977	len += snprintf(iobuf + len, IOBUF_SIZE-3 - len,
		978	"Location: %s/%s%s\r\n",
971	found_moved_temporarily,	979	found_moved_temporarily,
972	(g_query ? "?" : ""),	980	(g_query ? "?" : ""),
973	(g_query ? g_query : ""));	981	(g_query ? g_query : ""));
		982	if (len > IOBUF_SIZE-3)
		983	len = IOBUF_SIZE-3;
974	}	984	}
975		985
976	#if ENABLE_FEATURE_HTTPD_ERROR_PAGES	986	#if ENABLE_FEATURE_HTTPD_ERROR_PAGES
977	if (error_page && access(error_page, R_OK) == 0) {	987	if (error_page && access(error_page, R_OK) == 0) {
978	strcat(iobuf, "\r\n");	988	iobuf[len++] = '\r';
979	len += 2;	989	iobuf[len++] = '\n';
980		990	if (DEBUG) {
981	if (DEBUG)	991	iobuf[len] = '\0';
982	fprintf(stderr, "headers: '%s'\n", iobuf);	992	fprintf(stderr, "headers: '%s'\n", iobuf);
		993	}
983	full_write(STDOUT_FILENO, iobuf, len);	994	full_write(STDOUT_FILENO, iobuf, len);
984	if (DEBUG)	995	if (DEBUG)
985	fprintf(stderr, "writing error page: '%s'\n", error_page);	996	fprintf(stderr, "writing error page: '%s'\n", error_page);
@@ -1021,8 +1032,10 @@ static void send_headers(int responseNum)
1021	responseNum, responseString,	1032	responseNum, responseString,
1022	responseNum, responseString, infoString);	1033	responseNum, responseString, infoString);
1023	}	1034	}
1024	if (DEBUG)	1035	if (DEBUG) {
		1036	iobuf[len] = '\0';
1025	fprintf(stderr, "headers: '%s'\n", iobuf);	1037	fprintf(stderr, "headers: '%s'\n", iobuf);
		1038	}
1026	if (full_write(STDOUT_FILENO, iobuf, len) != len) {	1039	if (full_write(STDOUT_FILENO, iobuf, len) != len) {
1027	if (verbose > 1)	1040	if (verbose > 1)
1028	bb_perror_msg("error");	1041	bb_perror_msg("error");