From 90f489ef7ff4d9517eb9cb52fb75a95d5d391747 Mon Sep 17 00:00:00 2001
From: bcook <>
Date: Fri, 4 Oct 2019 09:47:34 +0000
Subject: Avoid a path traversal bug in s_server on Windows.

openssl s_server has an arbitrary read vulnerability on Windows when run with
the -WWW or -HTTP options, due to an incomplete path check logic. Thanks to
Jobert Abma for reporting.

ok tb@
---
 src/usr.bin/openssl/s_server.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'src/usr.bin/openssl/s_server.c')

diff --git a/src/usr.bin/openssl/s_server.c b/src/usr.bin/openssl/s_server.c
index a15795151f..2026e72942 100644
--- a/src/usr.bin/openssl/s_server.c
+++ b/src/usr.bin/openssl/s_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_server.c,v 1.31 2019/06/28 13:35:02 deraadt Exp $ */
+/* $OpenBSD: s_server.c,v 1.32 2019/10/04 09:47:34 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1839,11 +1839,11 @@ www_body(char *hostname, int s, unsigned char *context)
 					dot = (e[0] == '.') ? 3 : 0;
 					break;
 				case 3:
-					dot = (e[0] == '/') ? -1 : 0;
+					dot = (e[0] == '/' || e[0] == '\\') ? -1 : 0;
 					break;
 				}
 				if (dot == 0)
-					dot = (e[0] == '/') ? 1 : 0;
+					dot = (e[0] == '/' || e[0] == '\\') ? 1 : 0;
 			}
 			dot = (dot == 3) || (dot == -1);	/* filename contains
 								 * ".." component */
-- 
cgit v1.2.3-55-g6feb