From: Phil Carmody <phil@dovecot.fi>
Date: Thu, 14 Jun 2018 05:51:37 +0000 (+0300)
Subject: lib-http: harden payload tests against dodgy filenames
X-Git-Tag: 2.3.9~1494
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9a5b493cc40712d9be0affa9e7ee8ceb06cad4f2;p=thirdparty%2Fdovecot%2Fcore.git

lib-http: harden payload tests against dodgy filenames

Tests use files from readdir() as input, but do no sanitation of the
names, and therefore things like editor temp files can cause havoc
with the HTTP request parser.

The solution is to trap dodgy characters in the filenames, and ignore
those files. Initially, trap HTTP's "unsafe" and "reserved" characters.

Signed-off-by: Phil Carmody <phil@dovecot.fi>
---

diff --git a/src/lib-http/test-http-payload.c b/src/lib-http/test-http-payload.c
index d0c4315537..d00fe19613 100644
--- a/src/lib-http/test-http-payload.c
+++ b/src/lib-http/test-http-payload.c
@@ -67,6 +67,7 @@ static unsigned ioloop_nested_depth = 0;
 /*
  * Test files
  */
+static const char unsafe_characters[] = "\"<>#%{}|\\^~[]` ;/?:@=&";
 
 static ARRAY_TYPE(const_string) files;
 static pool_t files_pool;
@@ -92,7 +93,8 @@ static void test_files_read_dir(const char *path)
 		errno = 0;
 		if ((dp=readdir(dirp)) == NULL)
 			break;
-		if (*dp->d_name == '.')
+		if (*dp->d_name == '.' ||
+		    dp->d_name[strcspn(dp->d_name, unsafe_characters)] != '\0')
 			continue;
 
 		file = t_abspath_to(dp->d_name, path);