~sircmpwn/public-inbox

This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch
1

[PATCH gmnisrv] return false on request_validate errors

Details
Message ID
<20201012043502.2145723-1-chris@vittal.dev>
DKIM signature
pass
Download raw message
Patch: +4 -1
This will report proper errors to clients rather than continuing on with
request processing.
---
Because of the specific behavior involved in snprintf when client->path
was null, this could lead to a rather dumb, but still unintended
information disclosure for a file named (as in the example)
'/srv/gemini(null)'.

 src/serve.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/serve.c b/src/serve.c
index a856bc2..e42944e 100644
--- a/src/serve.c
+++ b/src/serve.c
@@ -247,7 +247,10 @@ request_validate(struct gmnisrv_client *client, char **path)
	// . to prevent directory traversal without additional code.
	*path = part;

exit:
	curl_url_cleanup(url);
	return true;

exit:
	curl_url_cleanup(url);
	return false;
}
-- 
2.28.0
Details
Message ID
<C6BDEAFIYZO7.2QGQ68LGEWMZK@taiga>
In-Reply-To
<20201012043502.2145723-1-chris@vittal.dev> (view parent)
DKIM signature
fail
Download raw message
DKIM signature: fail
Thanks!

To git@git.sr.ht:~sircmpwn/gmnisrv
   9d17ce4..  master -> master
Reply to thread Export thread (mbox)