wkd: Fix path traversal attack on gpg-wks-server.

* tools/gpg-wks-server.c (check_and_publish): Check for invalid
characters in sender controlled data.
* tools/wks-util.c (wks_fname_from_userid): Ditto.
(wks_compute_hu_fname): Ditto.
(ensure_policy_file): Ditto.

1 files changed, 16 insertions, 0 deletions

diff --git a/tools/wks-util.c b/tools/wks-util.c
index e73f3b16e..3f8e8206d 100644
--- a/tools/wks-util.c
+++ b/tools/wks-util.c
@@ -790,6 +790,12 @@ wks_fname_from_userid (const char *userid, int hash_only,
   domain = strchr (addrspec, '@');
   log_assert (domain);
   domain++;
+  if (strchr (domain, '/') || strchr (domain, '\\'))
+    {
+      log_info ("invalid domain detected ('%s')\n", domain);
+      err = gpg_error (GPG_ERR_NOT_FOUND);
+      goto leave;
+    }
 
   /* Hash user ID and create filename.  */
   s = strchr (addrspec, '@');
@@ -845,6 +851,11 @@ wks_compute_hu_fname (char **r_fname, const char *addrspec)
   if (!domain || !domain[1] || domain == addrspec)
     return gpg_error (GPG_ERR_INV_ARG);
   domain++;
+  if (strchr (domain, '/') || strchr (domain, '\\'))
+    {
+      log_info ("invalid domain detected ('%s')\n", domain);
+      return gpg_error (GPG_ERR_NOT_FOUND);
+    }
 
   gcry_md_hash_buffer (GCRY_MD_SHA1, sha1buf, addrspec, domain - addrspec - 1);
   hash = zb32_encode (sha1buf, 8*20);
@@ -893,6 +904,11 @@ ensure_policy_file (const char *addrspec)
   if (!domain || !domain[1] || domain == addrspec)
     return gpg_error (GPG_ERR_INV_ARG);
   domain++;
+  if (strchr (domain, '/') || strchr (domain, '\\'))
+    {
+      log_info ("invalid domain detected ('%s')\n", domain);
+      return gpg_error (GPG_ERR_NOT_FOUND);
+    }
 
   /* Create the filename.  */
   fname = make_filename_try (opt.directory, domain, "policy", NULL);