Startsida Utforska Hjälp
Logga in
ayhanyalcinsoy
/
main
forkad från pisilinux/main
Bevaka 1
Stjärnmärk 0
Fork 0
Filer
Träd: d90c73f100
Grenar Taggar
main
/
network
/
analyzer
/
libupnp
/
files
/
CVE-2016-6255.patch

CVE-2016-6255.patch 2.2 KB
Historik

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566 
  1. From be0a01bdb83395d9f3a5ea09c1308a4f1a972cbd Mon Sep 17 00:00:00 2001
    2. 

  2. From: Matthew Garrett <mjg59@srcf.ucam.org>
    3. 

  3. Date: Tue, 23 Feb 2016 13:53:20 -0800
    4. 

  4. Subject: [PATCH] Don't allow unhandled POSTs to write to the filesystem by
    5. 

  5.  default
    6. 

  6. 

  7. If there's no registered handler for a POST request, the default behaviour
    8. 

  8. is to write it to the filesystem. Several million deployed devices appear
    9. 

  9. to have this behaviour, making it possible to (at least) store arbitrary
    10. 

  10. data on them. Add a configure option that enables this behaviour, and change
    11. 

  11. the default to just drop POSTs that aren't directly handled.
    12. 

  12. ---
    13. 

  13.  configure.ac                         | 4 ++++
    14. 

  14.  upnp/inc/upnpconfig.h.in             | 5 +++++
    15. 

  15.  upnp/src/genlib/net/http/webserver.c | 4 ++++
    16. 

  16.  3 files changed, 13 insertions(+)
    17. 

  17. 

  18. diff --git a/configure.ac b/configure.ac
    19. 

  19. index dd88734..ea2bc09 100644
    20. 

  20. --- a/configure.ac
    21. 

  21. +++ b/configure.ac
    22. 

  22. @@ -482,6 +482,10 @@ if test "x$enable_scriptsupport" = xyes ; then
    23. 

  23.          AC_DEFINE(IXML_HAVE_SCRIPTSUPPORT, 1, [see upnpconfig.h])
    24. 

  24.  fi
    25. 

  25.  
    26. 

  26. +RT_BOOL_ARG_ENABLE([postwrite], [no], [write to the filesystem on otherwise unhandled POST requests])
    27. 

  27. +if test "x$enable_postwrite" = xyes ; then
    28. 

  28. +        AC_DEFINE(UPNP_ENABLE_POST_WRITE, 1, [see upnpconfig.h])
    29. 

  29. +fi
    30. 

  30.  
    31. 

  31.  RT_BOOL_ARG_ENABLE([samples], [yes], [compilation of upnp/sample/ code])
    32. 

  32.  
    33. 

  33. diff --git a/upnp/inc/upnpconfig.h.in b/upnp/inc/upnpconfig.h.in
    34. 

  34. index 46ddc6e..5df8c5a 100644
    35. 

  35. --- a/upnp/inc/upnpconfig.h.in
    36. 

  36. +++ b/upnp/inc/upnpconfig.h.in
    37. 

  37. @@ -135,5 +135,10 @@
    38. 

  38.   *  (i.e. configure --enable-open_ssl) */
    39. 

  39.  #undef UPNP_ENABLE_OPEN_SSL
    40. 

  40.  
    41. 

  41. +/** Defined to 1 if the library has been compiled to support filesystem writes on POST
    42. 

  42. + *  (i.e. configure --enable-postwrite) */
    43. 

  43. +#undef UPNP_ENABLE_POST_WRITE
    44. 

  44. +
    45. 

  45. +
    46. 

  46.  #endif /* UPNP_CONFIG_H */
    47. 

  47.  
    48. 

  48. diff --git a/upnp/src/genlib/net/http/webserver.c b/upnp/src/genlib/net/http/webserver.c
    49. 

  49. index 8991c16..8b2ecf2 100644
    50. 

  50. --- a/upnp/src/genlib/net/http/webserver.c
    51. 

  51. +++ b/upnp/src/genlib/net/http/webserver.c
    52. 

  52. @@ -1369,9 +1369,13 @@ static int http_RecvPostMessage(
    53. 

  53.  		if (Fp == NULL)
    54. 

  54.  			return HTTP_INTERNAL_SERVER_ERROR;
    55. 

  55.  	} else {
    56. 

  56. +#ifdef UPNP_ENABLE_POST_WRITE
    57. 

  57.  		Fp = fopen(filename, "wb");
    58. 

  58.  		if (Fp == NULL)
    59. 

  59.  			return HTTP_UNAUTHORIZED;
    60. 

  60. +#else
    61. 

  61. +		return HTTP_NOT_FOUND;
    62. 

  62. +#endif
    63. 

  63.  	}
    64. 

  64.  	parser->position = POS_ENTITY;
    65. 

  65.  	do {
    66. 

  66.