From 9a5b493cc40712d9be0affa9e7ee8ceb06cad4f2 Mon Sep 17 00:00:00 2001
From: Phil Carmody <phil@dovecot.fi>
Date: Thu, 14 Jun 2018 08:51:37 +0300
Subject: [PATCH] lib-http: harden payload tests against dodgy filenames

Tests use files from readdir() as input, but do no sanitation of the
names, and therefore things like editor temp files can cause havoc
with the HTTP request parser.

The solution is to trap dodgy characters in the filenames, and ignore
those files. Initially, trap HTTP's "unsafe" and "reserved" characters.

Signed-off-by: Phil Carmody <phil@dovecot.fi>
---
 src/lib-http/test-http-payload.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/lib-http/test-http-payload.c b/src/lib-http/test-http-payload.c
index d0c4315537..d00fe19613 100644
--- a/src/lib-http/test-http-payload.c
+++ b/src/lib-http/test-http-payload.c
@@ -67,6 +67,7 @@ static unsigned ioloop_nested_depth = 0;
 /*
  * Test files
  */
+static const char unsafe_characters[] = "\"<>#%{}|\\^~[]` ;/?:@=&";
 
 static ARRAY_TYPE(const_string) files;
 static pool_t files_pool;
@@ -92,7 +93,8 @@ static void test_files_read_dir(const char *path)
 		errno = 0;
 		if ((dp=readdir(dirp)) == NULL)
 			break;
-		if (*dp->d_name == '.')
+		if (*dp->d_name == '.' ||
+		    dp->d_name[strcspn(dp->d_name, unsafe_characters)] != '\0')
 			continue;
 
 		file = t_abspath_to(dp->d_name, path);
-- 
2.47.3