Description: CVE-2015-1419: config option deny_file is not handled correctly Author: Marcus Meissner Origin: https://bugzilla.novell.com/show_bug.cgi?id=CVE-2015-1419 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776922 Last-Update: 2015-02-24 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ --- a/ls.c +++ b/ls.c @@ -7,6 +7,7 @@ * Would you believe, code to handle directory listing. */ +#include #include "ls.h" #include "access.h" #include "defs.h" @@ -243,11 +244,42 @@ vsf_filename_passes_filter(const struct struct mystr temp_str = INIT_MYSTR; struct mystr brace_list_str = INIT_MYSTR; struct mystr new_filter_str = INIT_MYSTR; + struct mystr normalize_filename_str = INIT_MYSTR; + const char *normname; + const char *path; int ret = 0; char last_token = 0; int must_match_at_current_pos = 1; + str_copy(&filter_remain_str, p_filter_str); - str_copy(&name_remain_str, p_filename_str); + + /* normalize filepath */ + path = str_strdup(p_filename_str); + normname = realpath(path, NULL); + if (normname == NULL) + goto out; + str_alloc_text(&normalize_filename_str, normname); + + if (!str_isempty (&filter_remain_str) && !str_isempty(&normalize_filename_str)) { + if (str_get_char_at(p_filter_str, 0) == '/') { + if (str_get_char_at(&normalize_filename_str, 0) != '/') { + str_getcwd (&name_remain_str); + + if (str_getlen(&name_remain_str) > 1) /* cwd != root dir */ + str_append_char (&name_remain_str, '/'); + + str_append_str (&name_remain_str, &normalize_filename_str); + } + else + str_copy (&name_remain_str, &normalize_filename_str); + } else { + if (str_get_char_at(p_filter_str, 0) != '{') + str_basename (&name_remain_str, &normalize_filename_str); + else + str_copy (&name_remain_str, &normalize_filename_str); + } + } else + str_copy(&name_remain_str, &normalize_filename_str); while (!str_isempty(&filter_remain_str) && *iters < VSFTP_MATCHITERS_MAX) { @@ -360,6 +392,9 @@ vsf_filename_passes_filter(const struct ret = 0; } out: + free(normname); + free(path); + str_free(&normalize_filename_str); str_free(&filter_remain_str); str_free(&name_remain_str); str_free(&temp_str); --- a/str.c +++ b/str.c @@ -711,3 +711,14 @@ str_replace_unprintable(struct mystr* p_ } } +void +str_basename (struct mystr* d_str, const struct mystr* path) +{ + static struct mystr tmp; + + str_copy (&tmp, path); + str_split_char_reverse(&tmp, d_str, '/'); + + if (str_isempty(d_str)) + str_copy (d_str, path); +} --- a/str.h +++ b/str.h @@ -100,6 +100,7 @@ void str_replace_unprintable(struct myst int str_atoi(const struct mystr* p_str); filesize_t str_a_to_filesize_t(const struct mystr* p_str); unsigned int str_octal_to_uint(const struct mystr* p_str); +void str_basename (struct mystr* d_str, const struct mystr* path); /* PURPOSE: Extract a line of text (delimited by \n or EOF) from a string * buffer, starting at character position 'p_pos'. The extracted line will