string file = "."+combine_path("/",request->not_query); file = Protocols.HTTP.uri_decode(file); Stdio.Stat s = file_stat( file );
If the not_query contains "..%2F", combine_path sees that as a perfectly normal directory, and then it gets URI decoded, and Pike will happily read files outside of the directory it's been set to.
Is there a reason the URI decode is done after combine_path?
ChrisA
The use of combine_path and string-pasting with "." also looks unportable. Since not_query is a "UNIX style" path, it should be used with combine_path_unix. And the syntax for current directory is platform dependent. It should probably be something along the lines of:
string file = combine_path(getcwd(), combine_path_unix("/",X)[1..]);
pike-devel@lists.lysator.liu.se
-
Chris Angelico -
Marcus Comstedt (ACROSS) (Hail Ilpalazzo!) @ Pike (-) developers forum