security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-01-02 12:01:32 +01:00
Code Activity

wkd: Fix path traversal attack on gpg-wks-server.

Browse Source 
* tools/gpg-wks-server.c (check_and_publish): Check for invalid
characters in sender controlled data.
* tools/wks-util.c (wks_fname_from_userid): Ditto.
(wks_compute_hu_fname): Ditto.
(ensure_policy_file): Ditto.
This commit is contained in:
Werner Koch 2022-07-25 09:46:41 +02:00
parent 2791169aa9
commit 8a63a8c825
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
2 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
tools/gpg-wks-server.c
View File

@ -1379,6 +1379,15 @@ check_and_publish (server_ctx_t ctx, const char *address, const char *nonce)
domain = strchr (address, '@'); domain = strchr (address, '@');
log_assert (domain && domain[1]); log_assert (domain && domain[1]);
domain++; domain++;
if (strchr (domain, '/') || strchr (domain, '\\')
|| strchr (nonce, '/') || strchr (nonce, '\\'))
{
log_info ("invalid domain or nonce received ('%s', '%s')\n",
domain, nonce);
err = gpg_error (GPG_ERR_NOT_FOUND);
goto leave;
}
fname = make_filename_try (opt.directory, domain, "pending", nonce, NULL); fname = make_filename_try (opt.directory, domain, "pending", nonce, NULL);
if (!fname) if (!fname)
{ {

16
tools/wks-util.c
View File

@ -790,6 +790,12 @@ wks_fname_from_userid (const char *userid, int hash_only,
domain = strchr (addrspec, '@'); domain = strchr (addrspec, '@');
log_assert (domain); log_assert (domain);
domain++; domain++;
if (strchr (domain, '/') || strchr (domain, '\\'))
{
log_info ("invalid domain detected ('%s')\n", domain);
err = gpg_error (GPG_ERR_NOT_FOUND);
goto leave;
}
/* Hash user ID and create filename. */ /* Hash user ID and create filename. */
s = strchr (addrspec, '@'); s = strchr (addrspec, '@');
@ -845,6 +851,11 @@ wks_compute_hu_fname (char **r_fname, const char *addrspec)
if (!domain || !domain[1] || domain == addrspec) if (!domain || !domain[1] || domain == addrspec)
return gpg_error (GPG_ERR_INV_ARG); return gpg_error (GPG_ERR_INV_ARG);
domain++; domain++;
if (strchr (domain, '/') || strchr (domain, '\\'))
{
log_info ("invalid domain detected ('%s')\n", domain);
return gpg_error (GPG_ERR_NOT_FOUND);
}
gcry_md_hash_buffer (GCRY_MD_SHA1, sha1buf, addrspec, domain - addrspec - 1); gcry_md_hash_buffer (GCRY_MD_SHA1, sha1buf, addrspec, domain - addrspec - 1);
hash = zb32_encode (sha1buf, 8*20); hash = zb32_encode (sha1buf, 8*20);
@ -893,6 +904,11 @@ ensure_policy_file (const char *addrspec)
if (!domain || !domain[1] || domain == addrspec) if (!domain || !domain[1] || domain == addrspec)
return gpg_error (GPG_ERR_INV_ARG); return gpg_error (GPG_ERR_INV_ARG);
domain++; domain++;
if (strchr (domain, '/') || strchr (domain, '\\'))
{
log_info ("invalid domain detected ('%s')\n", domain);
return gpg_error (GPG_ERR_NOT_FOUND);
}
/* Create the filename. */ /* Create the filename. */
fname = make_filename_try (opt.directory, domain, "policy", NULL); fname = make_filename_try (opt.directory, domain, "policy", NULL);