Hi folks, This patch fixes a vulnerability in homedir parsing, the bug is a potential security risk.. but only if you configure homedirs.
A demonstration, configure homedirs, and try the follow: http://domain/~/ http://domain/~../ If you use nostromo in a chroot, it'll probably only leak access to configuration files, .htaccess stuff. I had sent this before to you Marcus, along with another patch, but didn't get much feedback. No clue if this is a proper fix. -Bryan. --- nostromo/Makefile 20 Oct 2010 15:23:04 -0000 1.34 +++ nostromo/Makefile 21 Dec 2010 01:30:51 -0000 @@ -3,6 +3,7 @@ COMMENT= Nostromo webserver DISTNAME= nostromo-1.9.3 +REVISION= 0 CATEGORIES= www MASTER_SITES= http://www.nazgul.ch/dev/ --- /dev/null 01 Jan 1970 00:00:00 -0000 +++ nostromo/patches/patch-src_nhttpd_http_c 21 Dec 2010 00:37:02 -0000 @@ -0,0 +1,14 @@ +$OpenBSD$ +Security issue. +--- src/nhttpd/http.c.orig Sat Jul 03 00:00:00 2009 ++++ src/nhttpd/http.c Sat Aug 14 20:14:30 2010 +@@ -1537,7 +1537,8 @@ http_header(const char *header_data, const char *force + + /* homedirs */ + if (config.homedirs[0] != '\0') { +- if (h->rq_uri[1] == '~') { ++ if (h->rq_uri[1] == '~' && h->rq_uri[2] != '/' && ++ h->rq_uri[3] != '.' && h->rq_uri[4] != '.') { + strlcpy(docroot, config.homedirs, sizeof(docroot)); + strlcpy(file_path, h->rq_uri, sizeof(file_path)); + /* remove ~ */
