Article 2226 at 101/09/11 11:16:57 From: hsaka@mth.biglobe.ne.jp Subject: [w3m-dev 02226] Security hole of w3m-0.2.1-inu-1.4a1, 1.4a2 and w3m-m17n.

Index: [Article Count Order] [Thread]
Date:  Tue, 11 Sep 2001 11:14:50 +0900 (JST)
From:  Hironori Sakamoto <hsaka@mth.biglobe.ne.jp>
Subject:  [w3m-dev 02226] Security hole of w3m-0.2.1-inu-1.4a1, 1.4a2 and w3m-m17n.
To:  w3m-dev@mi.med.tohoku.ac.jp
Message-Id:  <200109110214.LAA00783@udlew10.uldev.lsi.nec.co.jp>
X-Mail-Count: 02226

坂本です。

w3m-0.2.1-inu-1.4a1 以降と w3m-m17n に任意のコマンド実行が可能な
セキュリティホールがありました。
w3m-0.2.1-inu-1.4a2 への修正 patch をつけます。
w3m-m17n も一箇所 reject されますが、ほぼ同じです(patch -F 3 でOK)。
# 私の初歩的なミスでした。申し訳ありませんm(_ _)m

local.c のチェックも厳しくすべきか...
----------------------------------- 
坂本 浩則 <hsaka@mth.biglobe.ne.jp> 
 http://www2u.biglobe.ne.jp/~hsaka/

--- indep.c.orig	Mon Sep 10 11:54:49 2001
+++ indep.c	Tue Sep 11 11:03:39 2001
@@ -75,14 +75,14 @@
 }
 
 char *
-cleanupName(char *name)
+cleanupName2(char *name, int flag)
 {
     char *buf, *p, *q;
 
     buf = allocStr(name, 0);
     p = buf;
     q = name;
-    while (*q != '\0' && *q != '?') {
+    while (*q != '\0' && (*q != '?' || ! flag)) {
 	if (strncmp(p, "/../", 4) == 0) {	/* foo/bar/../FOO */
 	    if (p - 2 == buf && strncmp(p - 2, "..", 2) == 0) {
 		/* ../../       */
--- indep.h.orig	Mon Sep 10 11:54:49 2001
+++ indep.h	Tue Sep 11 11:03:28 2001
@@ -20,7 +20,8 @@
 extern char *allocStr(const char *s, int len);
 extern int strCmp(const void *s1, const void *s2);
 extern char *currentdir(void);
-extern char *cleanupName(char *name);
+extern char *cleanupName2(char *name, int flag);
+#define cleanupName(name) cleanupName2((name), TRUE)
 extern char *expandPath(char *name);
 extern char *strcasestr(char *s1, char *s2);
 extern int strcasemstr(char *str, char *srch[], char **ret_ptr);
--- url.c.orig	Mon Sep 10 11:54:50 2001
+++ url.c	Tue Sep 11 11:03:39 2001
@@ -962,7 +962,7 @@
 	    pu->file = cleanupName(pu->file);
 	}
 	if (pu->scheme == SCM_LOCAL)
-	    pu->real_file = file_unquote(pu->file);
+	    pu->real_file = cleanupName2(file_unquote(pu->file), FALSE);
     }
 }
 
@@ -1260,7 +1260,7 @@
 	    Str tmp2 = Strnew_charp("#");
 	    Strcat_charp(tmp2, pu->label);
 	    pu->file = tmp2->ptr;
-	    pu->real_file = file_unquote(pu->file);
+	    pu->real_file = cleanupName2(file_unquote(pu->file), FALSE);
 	    pu->label = NULL;
 	}
 	else {
@@ -1296,7 +1296,7 @@
 	else if ((q = strchr(pu->file, '?')) != NULL) {
 	    /* lodal CGI: GET */
 	    p = Strnew_charp_n(pu->file, (int)(q - pu->file))->ptr;
-	    pu->real_file = file_unquote(p);
+	    pu->real_file = cleanupName2(file_unquote(p), FALSE);
 	    uf.stream = newFileStream(localcgi_get(pu->real_file, q + 1,
 					option->referer), (void (*)()) pclose);
 	    if (uf.stream == NULL) {
@@ -1337,7 +1337,7 @@
 		    Strcat_char(tmp, '/');
 		Strcat_charp(tmp, pu->file);
 		p = cleanupName(tmp->ptr);
-		q = file_unquote(p);
+		q = cleanupName2(file_unquote(p), FALSE);
 		if (dir_exist(q)) {
 		    pu->file = p;
 		    pu->real_file = q;
@@ -1621,7 +1621,7 @@
     }
     p = Strnew_m_charp(pu->file, "/", file_quote(index_file), NULL)->ptr;
     p = cleanupName(p);
-    q = file_unquote(p);
+    q = cleanupName2(file_unquote(p), FALSE);
     examineFile(q, uf);
     if (uf->stream == NULL)
 	return;
[Next]