Beefy Boxes and Bandwidth Generously Provided by pair Networks
We don't bite newbies here... much
 
PerlMonks  

Re: Re: Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD)

by IlyaM (Parson)
on Feb 28, 2003 at 09:42 UTC ( #239381=note: print w/ replies, xml ) Need Help??


in reply to Re: Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD)
in thread How Internet is a mess. (Playing with HTTPD)

Hack this.

Piece of cake:

my $up_dir = '.../...//'; my $path = ($up_dir x 10) . 'etc/passwd'; print normalize_path($path), "\n";
Prints:
../../../../../../../../../../etc/passwd

--
Ilya Martynov, ilya@iponweb.net
CTO IPonWEB (UK) Ltd
Quality Perl Programming and Unix Support UK managed @ offshore prices - http://www.iponweb.net
Personal website - http://martynov.org


Comment on Re: Re: Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD)
Select or Download Code
Replies are listed 'Best First'.
Re: Re: Re: Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD)
by tachyon (Chancellor) on Feb 28, 2003 at 11:10 UTC

    Cute! ++ of course. I find it fascinating how you can use ingenuity to spoof these types of filters. Here is one that provides more utility and of course patches your hack.

    sub ilya_proof_path { my ( $path ) = @_ ; return '' unless $path; my ($type, $domain, $q_string ); ( $path, $q_string ) = split '\?', $path; $q_string =~ tr/\0//d if $q_string; 1 while $path =~ s/%([0-9a-fA-F]{2})/chr hex $1/ge; $path =~ s!\\+!/!g; $path =~ s![^\w \Q-:./#\E]!!g; $path =~ s!\.\.*/!!g; $path =~ s/^\s+//g; $path =~ s/ +/ /g; $type = $1 if $path =~ s!^(\w+):/+!!; $domain = $1 if $type and $type =~ m/(?:https?|ftps?)/ and $path =~ +s!^([\w\.-]+)/!!; # tolerate win32 drive letters as a pseudo domain $domain = $1 if $type and $type =~ m/file/ and $path =~ s!^([A-Z]:)/ +!!; return $path, $type, $domain, $q_string ; }

    cheers

    tachyon

    s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

      This one is indead IlyaM proof :) I stared on it for 5 mins and I could not find how it can be abused ++. Anyway I'm not sure I like this approach because it is very easy to do mistakes. I would not use regexps on whole string but I'd split path on components first and then I'd use regexps on them. I.e. something like:
      use URI; my $uri = URI->new($path); die "bad schema" unless is_safe_schema($uri->schema); die "bad domain" unless is_safe_domain($uri->host); die "bad path" unless is_safe_path($uri->path); sub is_safe_schema { # left as excersize to reader } sub is_safe_domain { # left as excersize to reader } sub is_safe_path { my $path = shift; my @comps = split '/', $path; for my $comp (@comps) { return 0 unless is_safe_path_comp } return 1; } sub is_safe_path_comp { my $comp = shift; return 0 if $comp =~ /\0\\/; return 0 if $comp eq '..'; # other unsafe patterns .... return 1; }

      --
      Ilya Martynov, ilya@iponweb.net
      CTO IPonWEB (UK) Ltd
      Quality Perl Programming and Unix Support UK managed @ offshore prices - http://www.iponweb.net
      Personal website - http://martynov.org

        That would consider
        http://www.example.com/path/some/where?query/../here

        to be unsafe. You might first want to split on a question mark, and then inspect just the first part.

        Abigail

        While I can see the merit in this approach there is a lot of redundancy with the potential for holes . It does of course offer more granularity but I'm not sure you really need this and the attendant overhead. The main issues are the null byte hack, shell metachars, multiencoding %hh so you don't actually properly check the string and the old ../.. chestnut. We are reasonably protected from buffer overflows but you can easily truncate the length if desired.

        cheers

        tachyon

        s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://239381]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (11)
As of 2015-07-29 17:11 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (266 votes), past polls