Avoid a path traversal bug in s_server on Windows.

openssl s_server has an arbitrary read vulnerability on Windows when run with the -WWW or -HTTP options, due to an incomplete path check logic. Thanks to Jobert Abma for reporting. ok tb@
author: bcook <> 2019-10-04 09:47:34 +0000
committer: bcook <> 2019-10-04 09:47:34 +0000
commit: 90f489ef7ff4d9517eb9cb52fb75a95d5d391747 (patch)
tree: 979710938ff694121605f5f76e18747b6065f785
parent: 1b6c1e78d6ad6a475e391e0d52ead3a98e4b79c8 (diff)
download: openbsd-90f489ef7ff4d9517eb9cb52fb75a95d5d391747.tar.gz
openbsd-90f489ef7ff4d9517eb9cb52fb75a95d5d391747.tar.bz2
openbsd-90f489ef7ff4d9517eb9cb52fb75a95d5d391747.zip
1 files changed, 3 insertions, 3 deletions
diff --git a/src/usr.bin/openssl/s_server.c b/src/usr.bin/openssl/s_server.c
index a15795151f..2026e72942 100644
--- a/src/usr.bin/openssl/s_server.c
+++ b/src/usr.bin/openssl/s_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_server.c,v 1.31 2019/06/28 13:35:02 deraadt Exp $ */
+/* $OpenBSD: s_server.c,v 1.32 2019/10/04 09:47:34 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1839,11 +1839,11 @@ www_body(char *hostname, int s, unsigned char *context)
                                        dot = (e[0] == '.') ? 3 : 0;
                                        break;
                                case 3:
-                                        dot = (e[0] == '/') ? -1 : 0;
+                                        dot = (e[0] == '/' || e[0] == '\\') ? -1 : 0;
                                        break;
                                }
                                if (dot == 0)
-                                        dot = (e[0] == '/') ? 1 : 0;
+                                        dot = (e[0] == '/' || e[0] == '\\') ? 1 : 0;
                        }
                        dot = (dot == 3) || (dot == -1);        /* filename contains
                                                                 * ".." component */
author	bcook <>	2019-10-04 09:47:34 +0000
committer	bcook <>	2019-10-04 09:47:34 +0000
commit	90f489ef7ff4d9517eb9cb52fb75a95d5d391747 (patch)
tree	979710938ff694121605f5f76e18747b6065f785
parent	1b6c1e78d6ad6a475e391e0d52ead3a98e4b79c8 (diff)
download	openbsd-90f489ef7ff4d9517eb9cb52fb75a95d5d391747.tar.gz openbsd-90f489ef7ff4d9517eb9cb52fb75a95d5d391747.tar.bz2 openbsd-90f489ef7ff4d9517eb9cb52fb75a95d5d391747.zip

diff --git a/src/usr.bin/openssl/s_server.c b/src/usr.bin/openssl/s_server.c index a15795151f..2026e72942 100644 --- a/src/usr.bin/openssl/s_server.c +++ b/src/usr.bin/openssl/s_server.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s_server.c,v 1.31 2019/06/28 13:35:02 deraadt Exp $ */	1	/* $OpenBSD: s_server.c,v 1.32 2019/10/04 09:47:34 bcook Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1839,11 +1839,11 @@ www_body(char hostname, int s, unsigned char context)
1839	dot = (e[0] == '.') ? 3 : 0;	1839	dot = (e[0] == '.') ? 3 : 0;
1840	break;	1840	break;
1841	case 3:	1841	case 3:
1842	dot = (e[0] == '/') ? -1 : 0;	1842	dot = (e[0] == '/' \|\| e[0] == '\\') ? -1 : 0;
1843	break;	1843	break;
1844	}	1844	}
1845	if (dot == 0)	1845	if (dot == 0)
1846	dot = (e[0] == '/') ? 1 : 0;	1846	dot = (e[0] == '/' \|\| e[0] == '\\') ? 1 : 0;
1847	}	1847	}
1848	dot = (dot == 3) \|\| (dot == -1); /* filename contains	1848	dot = (dot == 3) \|\| (dot == -1); /* filename contains
1849	* ".." component */	1849	* ".." component */