d4708/gemini-php
1
0
Fork 0
mirror of https://github.com/eapl-gemugami/gemini-php.git synced 2025-09-13 14:51:57 +00:00
Code Issues Projects Releases Wiki Activity

Fix path traversal/injection security bug. Thanks to Steven Frank at panic.com for pointing it out.

Browse Source
This commit is contained in:
Neil 2021-02-02 10:57:14 +00:00
parent 68d84394d2
commit d237016c0c
1 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
gemini.class.php
View File

@ -91,7 +91,8 @@ class Gemini {
// Kristall Browser is adding "__" to the end of the filenames // Kristall Browser is adding "__" to the end of the filenames
// wtf am I missing? // wtf am I missing?
$url['path'] = str_replace("__", "", $url['path']); // also removing ".." to mitigate against directory traversal
$url['path'] = str_replace(array("..", "__"), "", $url['path']);
// force an index file to be appended if a filename is missing // force an index file to be appended if a filename is missing
if(empty($url['path'])) { if(empty($url['path'])) {
$url['path'] = "/".$this->default_index_file; $url['path'] = "/".$this->default_index_file;
@ -99,7 +100,13 @@ class Gemini {
$url['path'] .= $this->default_index_file; $url['path'] .= $this->default_index_file;
} }
return $this->data_dir.$hostname.$url['path']; $valid_data_dir = dirname(__FILE__)."/".$this->data_dir;
$return_path = $this->data_dir.$hostname.$url['path'];
// check the real path is in the data_dir (path traversal sanity check)
if(substr(realpath($return_path),0, strlen($valid_data_dir)) == $valid_data_dir) {
return $return_path;
}
return false;
} }
function log_to_file($ip, $status_code, $meta, $filepath, $filesize) { function log_to_file($ip, $status_code, $meta, $filepath, $filesize) {