Re: sh-httpd `wildcard character' vulnerability

[Richard Brittain <richard () northstar dartmouth edu>]

On Mon, 27 Oct 2003, dong-h0un U wrote:

> Vulnerabilty happens '*' because don't filtering.
> Through this character, can know existence of files to directory.
...

This patch prevents the globbing, but also breaks the proper action of the
server because bname() no longer returns the filename.
A better patch is to disable all globbing in the script by turning on the
"-n" option in the shell.

> --- sh-httpd-0.4/sh-httpd       Mon Oct  9 11:28:05 2000
> +++ sh-httpd.patch      Sat Jul 19 08:51:44 2003
> @@ -31,7 +31,7 @@
>
>  bname() {
>         local IFS='/'
> -       set -- $1
> +       set -- "$1"
>         eval rc="\$$#"
>         [ "$rc" = "" ] && eval rc="\$$(($# - 1))"
>         echo "$rc"
> @@ -262,7 +262,7 @@
>
>         # Split URI into base and query string at ?
>         IFS='?'
> -       set -- $URI
> +       set -- "$URI"
>         QUERY_STRING="$2"
>         URL="$1"
>         IFS=$OIFS
> @@ -292,7 +292,7 @@
>         fi
>
>         DIR="`dname $URL`"
> -       FILE="`bname $URL`"
> +       FILE="`bname "$URL"`"
>
>         # Check for existance of directory
>         if [ ! -d "$DOCROOT/$DIR" ]; then
> === eof ===

Richard Brittain,  Kiewit Computing Services, 6224 Baker/Berry Library
                   Dartmouth College, Hanover NH 03755
Email: richard.brittain () dartmouth edu
   or: faculty-workstation-support@dartmouth