diff options
| author | Werner Koch <wk@gnupg.org> | 2022-07-25 09:46:41 +0200 |
|---|---|---|
| committer | Werner Koch <wk@gnupg.org> | 2022-07-25 10:21:44 +0200 |
| commit | 8a63a8c8257e5c585ec6fee49f38050dbf20354b (patch) | |
| tree | 276d6d1245c91bde48c82076010dd309ede5102e /tools | |
| parent | build: Update gpg-error.m4. (diff) | |
| download | gnupg2-8a63a8c8257e5c585ec6fee49f38050dbf20354b.tar.xz gnupg2-8a63a8c8257e5c585ec6fee49f38050dbf20354b.zip | |
wkd: Fix path traversal attack on gpg-wks-server.
* tools/gpg-wks-server.c (check_and_publish): Check for invalid
characters in sender controlled data.
* tools/wks-util.c (wks_fname_from_userid): Ditto.
(wks_compute_hu_fname): Ditto.
(ensure_policy_file): Ditto.
Diffstat (limited to 'tools')
| -rw-r--r-- | tools/gpg-wks-server.c | 9 | ||||
| -rw-r--r-- | tools/wks-util.c | 16 |
2 files changed, 25 insertions, 0 deletions
diff --git a/tools/gpg-wks-server.c b/tools/gpg-wks-server.c index 2ea5d9117..451fa3c81 100644 --- a/tools/gpg-wks-server.c +++ b/tools/gpg-wks-server.c @@ -1379,6 +1379,15 @@ check_and_publish (server_ctx_t ctx, const char *address, const char *nonce) domain = strchr (address, '@'); log_assert (domain && domain[1]); domain++; + if (strchr (domain, '/') || strchr (domain, '\\') + || strchr (nonce, '/') || strchr (nonce, '\\')) + { + log_info ("invalid domain or nonce received ('%s', '%s')\n", + domain, nonce); + err = gpg_error (GPG_ERR_NOT_FOUND); + goto leave; + } + fname = make_filename_try (opt.directory, domain, "pending", nonce, NULL); if (!fname) { diff --git a/tools/wks-util.c b/tools/wks-util.c index e73f3b16e..3f8e8206d 100644 --- a/tools/wks-util.c +++ b/tools/wks-util.c @@ -790,6 +790,12 @@ wks_fname_from_userid (const char *userid, int hash_only, domain = strchr (addrspec, '@'); log_assert (domain); domain++; + if (strchr (domain, '/') || strchr (domain, '\\')) + { + log_info ("invalid domain detected ('%s')\n", domain); + err = gpg_error (GPG_ERR_NOT_FOUND); + goto leave; + } /* Hash user ID and create filename. */ s = strchr (addrspec, '@'); @@ -845,6 +851,11 @@ wks_compute_hu_fname (char **r_fname, const char *addrspec) if (!domain || !domain[1] || domain == addrspec) return gpg_error (GPG_ERR_INV_ARG); domain++; + if (strchr (domain, '/') || strchr (domain, '\\')) + { + log_info ("invalid domain detected ('%s')\n", domain); + return gpg_error (GPG_ERR_NOT_FOUND); + } gcry_md_hash_buffer (GCRY_MD_SHA1, sha1buf, addrspec, domain - addrspec - 1); hash = zb32_encode (sha1buf, 8*20); @@ -893,6 +904,11 @@ ensure_policy_file (const char *addrspec) if (!domain || !domain[1] || domain == addrspec) return gpg_error (GPG_ERR_INV_ARG); domain++; + if (strchr (domain, '/') || strchr (domain, '\\')) + { + log_info ("invalid domain detected ('%s')\n", domain); + return gpg_error (GPG_ERR_NOT_FOUND); + } /* Create the filename. */ fname = make_filename_try (opt.directory, domain, "policy", NULL); |