Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?
 
PerlMonks  

Re: Re: Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD)

by IlyaM (Parson)
on Feb 28, 2003 at 09:42 UTC ( #239381=note: print w/ replies, xml ) Need Help??


in reply to Re: Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD)
in thread How Internet is a mess. (Playing with HTTPD)

Hack this.

Piece of cake:

my $up_dir = '.../...//'; my $path = ($up_dir x 10) . 'etc/passwd'; print normalize_path($path), "\n";
Prints:
../../../../../../../../../../etc/passwd

--
Ilya Martynov, ilya@iponweb.net
CTO IPonWEB (UK) Ltd
Quality Perl Programming and Unix Support UK managed @ offshore prices - http://www.iponweb.net
Personal website - http://martynov.org


Comment on Re: Re: Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD)
Select or Download Code
Re: Re: Re: Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD)
by tachyon (Chancellor) on Feb 28, 2003 at 11:10 UTC

    Cute! ++ of course. I find it fascinating how you can use ingenuity to spoof these types of filters. Here is one that provides more utility and of course patches your hack.

    sub ilya_proof_path { my ( $path ) = @_ ; return '' unless $path; my ($type, $domain, $q_string ); ( $path, $q_string ) = split '\?', $path; $q_string =~ tr/\0//d if $q_string; 1 while $path =~ s/%([0-9a-fA-F]{2})/chr hex $1/ge; $path =~ s!\\+!/!g; $path =~ s![^\w \Q-:./#\E]!!g; $path =~ s!\.\.*/!!g; $path =~ s/^\s+//g; $path =~ s/ +/ /g; $type = $1 if $path =~ s!^(\w+):/+!!; $domain = $1 if $type and $type =~ m/(?:https?|ftps?)/ and $path =~ +s!^([\w\.-]+)/!!; # tolerate win32 drive letters as a pseudo domain $domain = $1 if $type and $type =~ m/file/ and $path =~ s!^([A-Z]:)/ +!!; return $path, $type, $domain, $q_string ; }

    cheers

    tachyon

    s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

      This one is indead IlyaM proof :) I stared on it for 5 mins and I could not find how it can be abused ++. Anyway I'm not sure I like this approach because it is very easy to do mistakes. I would not use regexps on whole string but I'd split path on components first and then I'd use regexps on them. I.e. something like:
      use URI; my $uri = URI->new($path); die "bad schema" unless is_safe_schema($uri->schema); die "bad domain" unless is_safe_domain($uri->host); die "bad path" unless is_safe_path($uri->path); sub is_safe_schema { # left as excersize to reader } sub is_safe_domain { # left as excersize to reader } sub is_safe_path { my $path = shift; my @comps = split '/', $path; for my $comp (@comps) { return 0 unless is_safe_path_comp } return 1; } sub is_safe_path_comp { my $comp = shift; return 0 if $comp =~ /\0\\/; return 0 if $comp eq '..'; # other unsafe patterns .... return 1; }

      --
      Ilya Martynov, ilya@iponweb.net
      CTO IPonWEB (UK) Ltd
      Quality Perl Programming and Unix Support UK managed @ offshore prices - http://www.iponweb.net
      Personal website - http://martynov.org

        While I can see the merit in this approach there is a lot of redundancy with the potential for holes . It does of course offer more granularity but I'm not sure you really need this and the attendant overhead. The main issues are the null byte hack, shell metachars, multiencoding %hh so you don't actually properly check the string and the old ../.. chestnut. We are reasonably protected from buffer overflows but you can easily truncate the length if desired.

        cheers

        tachyon

        s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

        That would consider
        http://www.example.com/path/some/where?query/../here

        to be unsafe. You might first want to split on a question mark, and then inspect just the first part.

        Abigail

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://239381]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others chilling in the Monastery: (9)
As of 2014-12-22 18:45 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (126 votes), past polls