libesphttpd icon indicating copy to clipboard operation
libesphttpd copied to clipboard

Published 20 hours ago verified publisher icon Spritetm

Fix security issue when url starts from multiple slashes.

Open valkuc opened this issue 7 years ago • 6 comments

valkuc avatar Oct 11 '17 11:10 valkuc

Hi @valkuc. Appreciate the patch very much! If you've been watching there are a ton of improvements to this fork of the repository and even more due to cooperation with another fork.

For the authentication check does that require the leading slashes to work correctly and that is why removing them breaks going through the authentication check? I'm not sure I'm familiar with the authentication path.

chmorgan avatar Oct 11 '17 12:10 chmorgan

Suppose you have a next URL mappings:

{"/private/*", authBasic, cgi_private_area_auth_handler},
{"/private/secure.html", cgiEspFsTemplate, cgi_secure_tpl}

Navigating to /private/secure.html will prompt user to enter credentials. This can be "hacked" by entering url with extra slash appended. Without this patch accessing URL by //private/secure.html (note the extra slash at beginning) will skip authentication handler.

valkuc avatar Oct 11 '17 13:10 valkuc

It skips the handler because it isn't an exact match for the authentication handler but is a match for the url handler?

Would it make sense to strip all but one leading '/'? The original implementation seems to remove them all.

chmorgan avatar Oct 11 '17 14:10 chmorgan

Yes I'm actually don't see the reason to "strip all except one" but variant is acceptable I guess.

valkuc avatar Oct 11 '17 14:10 valkuc

It's interesting that stripping all of the slashes results in an authentication issue. In any case I trust your testing and will apply the changes.

chmorgan avatar Oct 11 '17 15:10 chmorgan

I have thinking of why this happens, but now don't remember. I have found this issue 4-5 months ago and now decided to create a pull request with it. You can check it, the setup is quite simple. Here is a code snippet for auth handler:

int ICACHE_FLASH_ATTR cgi_private_area_auth_handler(HttpdConnData *connData, int no, char *user, int userLen, char *pass, int passLen)
{
	if (no == 0)
	{
		os_strcpy(user, PRIV_AREA_USERNAME);
		os_strcpy(pass, PRIV_AREA_PASSWORD);

		return 1;
	}

	return 0;
}

And handler for espfs page:

void ICACHE_FLASH_ATTR cgi_secure_tpl(HttpdConnData *connData, char *token, void **arg)
{
	if (token == NULL) return;

	char buf[8];
	os_strcpy(buf, "test");
	httpdSend(connData, buf, -1);
}

valkuc avatar Oct 11 '17 15:10 valkuc