Skip to content

Comments

Fix security issue when url starts from multiple slashes.#44

Open
valkuc wants to merge 2 commits intoSpritetm:masterfrom
valkuc:upstream
Open

Fix security issue when url starts from multiple slashes.#44
valkuc wants to merge 2 commits intoSpritetm:masterfrom
valkuc:upstream

Conversation

@valkuc
Copy link
Contributor

@valkuc valkuc commented Oct 11, 2017

No description provided.

@valkuc valkuc mentioned this pull request Oct 11, 2017
Closed
@chmorgan
Copy link

chmorgan commented Oct 11, 2017

Hi @valkuc. Appreciate the patch very much! If you've been watching there are a ton of improvements to this fork of the repository and even more due to cooperation with another fork.

For the authentication check does that require the leading slashes to work correctly and that is why removing them breaks going through the authentication check? I'm not sure I'm familiar with the authentication path.

@valkuc
Copy link
Contributor Author

valkuc commented Oct 11, 2017

Suppose you have a next URL mappings:

{"/private/*", authBasic, cgi_private_area_auth_handler},
{"/private/secure.html", cgiEspFsTemplate, cgi_secure_tpl}

Navigating to /private/secure.html will prompt user to enter credentials. This can be "hacked" by entering url with extra slash appended. Without this patch accessing URL by //private/secure.html (note the extra slash at beginning) will skip authentication handler.

@chmorgan
Copy link

chmorgan commented Oct 11, 2017

It skips the handler because it isn't an exact match for the authentication handler but is a match for the url handler?

Would it make sense to strip all but one leading '/'? The original implementation seems to remove them all.

@valkuc
Copy link
Contributor Author

valkuc commented Oct 11, 2017

Yes
I'm actually don't see the reason to "strip all except one" but variant is acceptable I guess.

@chmorgan
Copy link

chmorgan commented Oct 11, 2017

It's interesting that stripping all of the slashes results in an authentication issue. In any case I trust your testing and will apply the changes.

@valkuc
Copy link
Contributor Author

valkuc commented Oct 11, 2017

I have thinking of why this happens, but now don't remember. I have found this issue 4-5 months ago and now decided to create a pull request with it. You can check it, the setup is quite simple. Here is a code snippet for auth handler:

int ICACHE_FLASH_ATTR cgi_private_area_auth_handler(HttpdConnData *connData, int no, char *user, int userLen, char *pass, int passLen)
{
	if (no == 0)
	{
		os_strcpy(user, PRIV_AREA_USERNAME);
		os_strcpy(pass, PRIV_AREA_PASSWORD);

		return 1;
	}

	return 0;
}

And handler for espfs page:

void ICACHE_FLASH_ATTR cgi_secure_tpl(HttpdConnData *connData, char *token, void **arg)
{
	if (token == NULL) return;

	char buf[8];
	os_strcpy(buf, "test");
	httpdSend(connData, buf, -1);
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@valkuc @chmorgan