From: Tom Peters (thopeter) Date: Mon, 24 Jan 2022 16:01:51 +0000 (+0000) Subject: Pull request #3244: BUG #719044: Snort 3 incorrectly normalizing URIs of webroot... X-Git-Tag: 3.1.21.0~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ff703d7db006988ee39f912b449b19ae67b46da3;p=thirdparty%2Fsnort3.git Pull request #3244: BUG #719044: Snort 3 incorrectly normalizing URIs of webroot directory traversals Merge in SNORT/snort3 from ~MDAGON/snort3:webroot to master Squashed commit of the following: commit d9a691f462e1c50462d2f8a5b950912285ae8cd6 Author: Maya Dagon Date: Mon Jan 10 16:23:39 2022 -0500 http_inspect: webroot traversal --- diff --git a/src/service_inspectors/http_inspect/http_uri_norm.cc b/src/service_inspectors/http_inspect/http_uri_norm.cc index ff44cb0ee..5e1c75a0d 100644 --- a/src/service_inspectors/http_inspect/http_uri_norm.cc +++ b/src/service_inspectors/http_inspect/http_uri_norm.cc @@ -421,18 +421,12 @@ int32_t UriNormalizer::norm_path_clean(uint8_t* buf, const int32_t in_length, { *infractions += INF_URI_SLASH_DOT_DOT; events->create_event(EVENT_DIR_TRAV); - // Traversing above the root of the absolute path. A path of the form - // /../../../foo/bar/whatever cannot be further normalized. Instead of taking away a - // directory we leave the .. and write out the new slash. This code can write out the - // pretend slash after the end of the buffer. That is intentional so that the normal - // form of "/../../../.." is "/../../../../" - if ( (length == 3) || - ((length >= 6) && (buf[length-4] == '.') && (buf[length-5] == '.') && - (buf[length-6] == '/'))) + // Traversing above the root of the absolute path. Remove .. , leave the leading / + if (length == 3) { *infractions += INF_URI_ROOT_TRAV; events->create_event(EVENT_WEBROOT_DIR); - buf[length++] = '/'; + length -= 2; } // Remove the previous directory from the output. "/foo/bar/../" becomes "/foo/" else