Hi, here is a copy of an email I wrote today:
Mehdi Dogguy schrieb: > > Hello, > > > > I'm trying to understand why the submitted patch is enough to fix the > > issue. More particularly, how /../ are removed from the url? > > > > Cheers, > > Hi, the fix for MLDonkey consists of two parts, first this patch which removes leading slashes from the path/filename-part of an URL: http://cvs.savannah.gnu.org/viewvc/mldonkey/src/utils/lib/url.ml?root=mldonkey&r1=1.9&r2=1.10 This fixes http://mldonkey:4080//etc/passwd style attacks. This was not enough however to fix the problem so I added this patch: http://cvs.savannah.gnu.org/viewvc/mldonkey/src/daemon/driver/driverControlers.ml?root=mldonkey&r1=1.113&r2=1.114 The old code worked like this: If the file requested is not an MLDonkey command or an otherwise internally defined file this code was called: | s -> http_send_bin r buf (String.lowercase s) The function http_send_bin was extended in MLDonkey 2.8.4 to check the internal commonPictures database which contains country flags, if a file was not found there, File.to_string was called which reads files from the local filesystem -> bad idea. So, the problem was created when country flags were added to MLDonkey. I changed the code shown above to | s -> http_send_bin_pictures r buf (String.lowercase s) http_send_bin_pictures is basically the same function as http_send_bin, but it only checks the commonPictures database and does not read any files from the local disc - > problem solved. Cheers, spiralvoice ______________________________________________________________________________ Nur bis 16.03.! DSL-Komplettanschluss inkl. WLAN-Modem für nur 17,95 EURO/mtl. + 1 Monat gratis!* http://dsl.web.de/?ac=OM.AD.AD008K15039B7069a -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
