|
|
30083e4 |
--- src/sgDiv.c.orig 2009-02-12 07:31:57.000000000 -0600
|
|
|
30083e4 |
+++ src/sgDiv.c 2008-06-13 11:52:17.000000000 -0500
|
|
|
30083e4 |
@@ -94,6 +94,9 @@
|
|
|
30083e4 |
{
|
|
|
30083e4 |
char *p, *d = NULL, *a = NULL, *e = NULL, *o, *field;
|
|
|
30083e4 |
int i = 0;
|
|
|
30083e4 |
+ int report_once = 1;
|
|
|
30083e4 |
+ int trailingdot = 0;
|
|
|
30083e4 |
+ size_t strsz;
|
|
|
30083e4 |
char c;
|
|
|
30083e4 |
int ndx = 0;
|
|
|
30083e4 |
|
|
|
30083e4 |
@@ -126,22 +129,38 @@
|
|
|
30083e4 |
*/
|
|
|
30083e4 |
/* Fix for multiple slash vulnerability (bug1). */
|
|
|
30083e4 |
/* Check if there are still two or more slashes in sequence which must not happen */
|
|
|
30083e4 |
- int report_once = 1;
|
|
|
30083e4 |
+ strsz = strlen(p);
|
|
|
30083e4 |
|
|
|
30083e4 |
- /* loop thru the string 'p' until the char '?' is hit */
|
|
|
30083e4 |
+ /* loop thru the string 'p' until the char '?' is hit or the "end" is hit */
|
|
|
30083e4 |
while('?' != p[ndx] && '\0' != p[ndx])
|
|
|
30083e4 |
{
|
|
|
30083e4 |
- /* if this char and the next char are slashes,
|
|
|
30083e4 |
- then shift the rest of the string left one char */
|
|
|
30083e4 |
- if('/' == p[ndx] && '/' == p[ndx+1])
|
|
|
30083e4 |
- {
|
|
|
30083e4 |
- size_t sz = strlen(p+ndx+1);
|
|
|
30083e4 |
- strncpy(p+ndx,p+ndx+1, sz);
|
|
|
30083e4 |
- p[ndx+sz] = '\0';
|
|
|
30083e4 |
- if(1 == report_once) {
|
|
|
30083e4 |
- sgLogError("Warning: Possible bypass attempt. Found multiple slashes where only one is expected: %s", s->orig);
|
|
|
30083e4 |
- report_once--;
|
|
|
30083e4 |
+ /* in case this is a '://' skip over it, but try to not read past EOS */
|
|
|
30083e4 |
+ if(3 <= strsz-ndx) {
|
|
|
30083e4 |
+ if(':' == p[ndx] && '/' == p[ndx+1] && '/' == p[ndx+2]) {
|
|
|
30083e4 |
+ ndx+=3; /* 3 == strlen("://"); */
|
|
|
30083e4 |
+ }
|
|
|
30083e4 |
}
|
|
|
30083e4 |
+
|
|
|
30083e4 |
+ /* if this char and the next char are slashes,
|
|
|
30083e4 |
+ * then shift the rest of the string left one char */
|
|
|
30083e4 |
+ if('/' == p[ndx] && '/' == p[ndx+1]) {
|
|
|
30083e4 |
+ size_t sz = strlen(p+ndx+1);
|
|
|
30083e4 |
+ strncpy(p+ndx,p+ndx+1, sz);
|
|
|
30083e4 |
+ p[ndx+sz] = '\0';
|
|
|
30083e4 |
+ if(1 == report_once) {
|
|
|
30083e4 |
+ sgLogError("Warning: Possible bypass attempt. Found multiple slashes where only one is expected: %s", s->orig);
|
|
|
30083e4 |
+ report_once--;
|
|
|
30083e4 |
+ }
|
|
|
30083e4 |
+ }
|
|
|
30083e4 |
+ else if ('.' == p[ndx] && '/' == p[ndx+1] && trailingdot == 0) {
|
|
|
30083e4 |
+ /* If the domain has trailing dot, remove (problem found with squid 3.0 stable1-5) the trailing dot (fixes bug 38). */
|
|
|
30083e4 |
+ /* if this char is a dot and the next char is a slash, then shift the rest of the string left one char */
|
|
|
30083e4 |
+ /* We do this only the first time it is encountered. */
|
|
|
30083e4 |
+ trailingdot++;
|
|
|
30083e4 |
+ size_t sz = strlen(p+ndx+1);
|
|
|
30083e4 |
+ strncpy(p+ndx,p+ndx+1, sz);
|
|
|
30083e4 |
+ p[ndx+sz] = '\0';
|
|
|
30083e4 |
+ sgLogError("Warning: Possible bypass attempt. Found a trailing dot in the domain name: %s", s->orig);
|
|
|
30083e4 |
}
|
|
|
30083e4 |
else
|
|
|
30083e4 |
{
|
|
|
30083e4 |
@@ -537,13 +556,13 @@
|
|
|
30083e4 |
#endif
|
|
|
30083e4 |
{
|
|
|
30083e4 |
struct sgRegExp *re;
|
|
|
30083e4 |
- regmatch_t pm[10];
|
|
|
30083e4 |
+ regmatch_t pm;
|
|
|
30083e4 |
static char newstring[MAX_BUF];
|
|
|
30083e4 |
char *result = NULL, *p;
|
|
|
30083e4 |
int substlen;
|
|
|
30083e4 |
*newstring='\0';
|
|
|
30083e4 |
for(re = regexp; re != NULL; re = re->next){
|
|
|
30083e4 |
- if (regexec (re->compiled, pattern, sizeof(pm) / sizeof(pm[0]), pm, 0) != 0){
|
|
|
30083e4 |
+ if (regexec (re->compiled, pattern, 1, &pm, 0) != 0){
|
|
|
30083e4 |
result = NULL;
|
|
|
30083e4 |
} else {
|
|
|
30083e4 |
substlen = strlen(re->substitute);
|
|
|
30083e4 |
@@ -553,65 +572,14 @@
|
|
|
30083e4 |
*newstring = '\0';
|
|
|
30083e4 |
p = newstring;
|
|
|
30083e4 |
do {
|
|
|
30083e4 |
- if((p - newstring)+ pm[0].rm_so >= MAX_BUF)
|
|
|
30083e4 |
+ if((p - newstring)+ pm.rm_so >= MAX_BUF)
|
|
|
30083e4 |
break;
|
|
|
30083e4 |
- p = strncat(newstring,pattern,pm[0].rm_so);
|
|
|
30083e4 |
- {
|
|
|
30083e4 |
- char *p_cur;
|
|
|
30083e4 |
- char *p_next;
|
|
|
30083e4 |
-
|
|
|
30083e4 |
- for (p_next = p_cur = re->substitute;
|
|
|
30083e4 |
- p_next < (re->substitute + substlen);
|
|
|
30083e4 |
- p_next++)
|
|
|
30083e4 |
- {
|
|
|
30083e4 |
- if (*p_next == '\\')
|
|
|
30083e4 |
- {
|
|
|
30083e4 |
- if (p_cur < p_next)
|
|
|
30083e4 |
- {
|
|
|
30083e4 |
- if (((p - newstring) + (p_next - p_cur)) >= MAX_BUF)
|
|
|
30083e4 |
- goto err;
|
|
|
30083e4 |
- p = strncat(newstring, p_cur, p_next - p_cur);
|
|
|
30083e4 |
- }
|
|
|
30083e4 |
- p_next++;
|
|
|
30083e4 |
- if (p_next < (re->substitute + substlen)
|
|
|
30083e4 |
- && '0' <= *p_next && *p_next <= '9')
|
|
|
30083e4 |
- {
|
|
|
30083e4 |
- int i = *p_next - '0';
|
|
|
30083e4 |
- if ((p - newstring) + (pm[i].rm_eo - pm[i].rm_so) >= MAX_BUF)
|
|
|
30083e4 |
- goto err;
|
|
|
30083e4 |
- p = strncat(newstring, pattern + pm[i].rm_so, pm[i].rm_eo - pm[i].rm_so);
|
|
|
30083e4 |
- }
|
|
|
30083e4 |
- else
|
|
|
30083e4 |
- {
|
|
|
30083e4 |
- if ((p - newstring + 1) >= MAX_BUF)
|
|
|
30083e4 |
- goto err;
|
|
|
30083e4 |
- p = strncat(newstring, p_next, 1);
|
|
|
30083e4 |
- }
|
|
|
30083e4 |
- p_cur = p_next + 1;
|
|
|
30083e4 |
- }
|
|
|
30083e4 |
- else if (*p_next == '&')
|
|
|
30083e4 |
- {
|
|
|
30083e4 |
- if (p_cur < p_next)
|
|
|
30083e4 |
- {
|
|
|
30083e4 |
- if (((p - newstring) + (p_next - p_cur)) >= MAX_BUF)
|
|
|
30083e4 |
- goto err;
|
|
|
30083e4 |
- p = strncat(newstring, p_cur, p_next - p_cur);
|
|
|
30083e4 |
- }
|
|
|
30083e4 |
- if (((p - newstring) + (pm[0].rm_eo - pm[0].rm_so)) >= MAX_BUF)
|
|
|
30083e4 |
- goto err;
|
|
|
30083e4 |
- p = strncat(newstring, pattern + pm[0].rm_so, pm[0].rm_eo - pm[0].rm_so);
|
|
|
30083e4 |
- p_cur = p_next + 1;
|
|
|
30083e4 |
- }
|
|
|
30083e4 |
- }
|
|
|
30083e4 |
- if (p_cur < p_next)
|
|
|
30083e4 |
- {
|
|
|
30083e4 |
- if (((p - newstring) + (p_next - p_cur)) >= MAX_BUF)
|
|
|
30083e4 |
- goto err;
|
|
|
30083e4 |
- p = strncat(newstring, p_cur, p_next - p_cur);
|
|
|
30083e4 |
- }
|
|
|
30083e4 |
- }
|
|
|
30083e4 |
- pattern = pattern + pm[0].rm_eo;
|
|
|
30083e4 |
- } while(regexec (re->compiled, pattern, sizeof(pm) / sizeof(pm[0]), pm, REG_NOTBOL)== 0 &&
|
|
|
30083e4 |
+ p = strncat(newstring,pattern,pm.rm_so);
|
|
|
30083e4 |
+ if((p - newstring)+ substlen >= MAX_BUF)
|
|
|
30083e4 |
+ break;
|
|
|
30083e4 |
+ p = strcat(newstring,re->substitute);
|
|
|
30083e4 |
+ pattern = pattern + pm.rm_eo;
|
|
|
30083e4 |
+ } while(regexec (re->compiled, pattern, 1, &pm, REG_NOTBOL)== 0 &&
|
|
|
30083e4 |
re->global);
|
|
|
30083e4 |
if((p - newstring)+ strlen(pattern) <= MAX_BUF)
|
|
|
30083e4 |
p = strcat(newstring,pattern);
|
|
|
30083e4 |
@@ -619,7 +587,6 @@
|
|
|
30083e4 |
break;
|
|
|
30083e4 |
}
|
|
|
30083e4 |
}
|
|
|
30083e4 |
-err:
|
|
|
30083e4 |
return result;
|
|
|
30083e4 |
}
|
|
|
30083e4 |
|