From d237016c0c13078d147ee15a015eb7d8a0488547 Mon Sep 17 00:00:00 2001 From: Neil Date: Tue, 2 Feb 2021 10:57:14 +0000 Subject: [PATCH] Fix path traversal/injection security bug. Thanks to Steven Frank at panic.com for pointing it out. --- gemini.class.php | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/gemini.class.php b/gemini.class.php index 576d9aa..a27823b 100644 --- a/gemini.class.php +++ b/gemini.class.php @@ -91,7 +91,8 @@ class Gemini { // Kristall Browser is adding "__" to the end of the filenames // wtf am I missing? - $url['path'] = str_replace("__", "", $url['path']); + // also removing ".." to mitigate against directory traversal + $url['path'] = str_replace(array("..", "__"), "", $url['path']); // force an index file to be appended if a filename is missing if(empty($url['path'])) { $url['path'] = "/".$this->default_index_file; @@ -99,7 +100,13 @@ class Gemini { $url['path'] .= $this->default_index_file; } - return $this->data_dir.$hostname.$url['path']; + $valid_data_dir = dirname(__FILE__)."/".$this->data_dir; + $return_path = $this->data_dir.$hostname.$url['path']; + // check the real path is in the data_dir (path traversal sanity check) + if(substr(realpath($return_path),0, strlen($valid_data_dir)) == $valid_data_dir) { + return $return_path; + } + return false; } function log_to_file($ip, $status_code, $meta, $filepath, $filesize) {