View | Details | Raw Unified | Return to bug 54178
Collapse All | Expand All

(-)header.c.old (+8 lines)
Lines 538-543 Link Here
538 
				/*
 538 
				/*
539 
				 * filename
 539 
				 * filename
540 
				 */
 540 
				 */
541 
				if (header_size >= 256) {
542 
				  fprintf(stderr, "Possible buffer overflow hack attack, type #1\n");
543 
				  exit(109);
544 
				}
541 
				for (i = 0; i < header_size - 3; i++)
 545 
				for (i = 0; i < header_size - 3; i++)
542 
					hdr->name[i] = (char) get_byte();
 546 
					hdr->name[i] = (char) get_byte();
543 
				hdr->name[header_size - 3] = '\0';
 547 
				hdr->name[header_size - 3] = '\0';
Lines 547-552 Link Here
547 
				/*
 551 
				/*
548 
				 * directory
 552 
				 * directory
549 
				 */
 553 
				 */
554 
				if (header_size >= FILENAME_LENGTH) {
555 
				  fprintf(stderr, "Possible buffer overflow hack attack, type #2\n");
556 
				  exit(110);
557 
				}
550 
				for (i = 0; i < header_size - 3; i++)
 558 
				for (i = 0; i < header_size - 3; i++)
551 
					dirname[i] = (char) get_byte();
 559 
					dirname[i] = (char) get_byte();
552 
				dirname[header_size - 3] = '\0';
 560 
				dirname[header_size - 3] = '\0';
(-)lhext.c.old (-1 / +33 lines)
Lines 190-197 Link Here
190 
		q = (char *) rindex(hdr->name, '/') + 1;
 190 
		q = (char *) rindex(hdr->name, '/') + 1;
191 
	}
 191 
	}
192 
	else {
 192 
	else {
193 
		if (is_directory_traversal(q)) {
194 
		  fprintf(stderr, "Possible directory traversal hack attempt in %s\n", q);
195 
		  exit(111);
196 
		}
197 

            

        

          193
          
		if (*q == '/') {

          198
          
		if (*q == '/') {

        

          
            

              194
              
			q++;


              199
              
			while (*q == '/') { q++; }

            

        

          195
          
			/*

          200
          
			/*

        

        

          196
          
			 * if OSK then strip device name

          201
          
			 * if OSK then strip device name

        

        

          197
          
			 */

          202
          
			 */

        

  

    
      
            Lines 419-424
          
      
      
        Link Here
      
    
  

        

          419
          
	return;

          424
          
	return;

        

        

          420
          
}

          425
          
}

        

        

          421
          

          426
          

        

            

              
              
              427
              
int

            

            

              428
              
is_directory_traversal(char *string)

            

            

              429
              
{

            

            

              430
              
  unsigned int type = 0; /* 0 = new, 1 = only dots, 2 = other chars than dots */

            

            

              431
              
  char *temp;

            

            

              432
              

            

            

              433
              
  temp = string;

            

            

              434
              

            

            

              435
              
  while (*temp != 0) {

            

            

              436
              
    if (temp[0] == '/') {

            

            

              437
              
      if (type == 1) { return 1; }

            

            

              438
              
      type = 0;

            

            

              439
              
      temp++;

            

            

              440
              
      continue;

            

            

              441
              
    }

            

            

              442
              

            

            

              443
              
    if ((temp[0] == '.') && (type < 2))

            

            

              444
              
      type = 1;

            

            

              445
              
    if (temp[0] != '.')

            

            

              446
              
      type = 2;

            

            

              447
              

            

            

              448
              
    temp++;

            

            

              449
              
  } /* while */

            

            

              450
              

            

            

              451
              
  return (type == 1);

            

            

              452
              
}

            

            

              453
              

            

        

          422
          
/* Local Variables: */

          454
          
/* Local Variables: */

        

        

          423
          
/* mode:c */

          455
          
/* mode:c */

        

        

          424
          
/* tab-width:4 */

          456
          
/* tab-width:4 */

        






  

  Return to bug 54178