diff options
| author | Gyorgy Sarvari <skandigraun@gmail.com> | 2025-10-04 22:24:33 +0200 |
|---|---|---|
| committer | Gyorgy Sarvari <skandigraun@gmail.com> | 2025-10-12 13:08:29 +0200 |
| commit | b157fa04127d93164027b1b6f2b23063c8aa9192 (patch) | |
| tree | e10f87c67ad2e849da3a108de2e35d525b10b74e /meta-networking | |
| parent | 49c4e29bc94b60511e4a4bfd27d07e4f601fce04 (diff) | |
| download | meta-openembedded-b157fa04127d93164027b1b6f2b23063c8aa9192.tar.gz | |
civetweb: patch CVE-2020-27304
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-27304
Take the patches referenced in
https://jfrog.com/blog/cve-2020-27304-rce-via-directory-traversal-in-civetweb-http-server/
(which URL is also referenced by NIST)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Diffstat (limited to 'meta-networking')
3 files changed, 119 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/civetweb/civetweb/0001-Sanitize-upload-filename-like-URL.patch b/meta-networking/recipes-connectivity/civetweb/civetweb/0001-Sanitize-upload-filename-like-URL.patch new file mode 100644 index 0000000000..0e2ee700c8 --- /dev/null +++ b/meta-networking/recipes-connectivity/civetweb/civetweb/0001-Sanitize-upload-filename-like-URL.patch | |||
| @@ -0,0 +1,27 @@ | |||
| 1 | From e7c4fca110a0823262cf444371d01309c85c760f Mon Sep 17 00:00:00 2001 | ||
| 2 | From: bel2125 <bel2125@gmail.com> | ||
| 3 | Date: Sat, 3 Jul 2021 21:54:28 +0200 | ||
| 4 | Subject: [PATCH] Sanitize upload filename like URL | ||
| 5 | |||
| 6 | CVE: CVE-2020-27304 | ||
| 7 | |||
| 8 | Upstream-Status: Backport [https://github.com/civetweb/civetweb/commit/b2ed60c589172b37f3d705c69d84313eeb8348b1] | ||
| 9 | |||
| 10 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 11 | --- | ||
| 12 | src/handle_form.inl | 2 ++ | ||
| 13 | 1 file changed, 2 insertions(+) | ||
| 14 | |||
| 15 | diff --git a/src/handle_form.inl b/src/handle_form.inl | ||
| 16 | index 9853faf1..21536158 100644 | ||
| 17 | --- a/src/handle_form.inl | ||
| 18 | +++ b/src/handle_form.inl | ||
| 19 | @@ -55,6 +55,8 @@ url_encoded_field_found(const struct mg_connection *conn, | ||
| 20 | mg_cry_internal(conn, "%s: Cannot decode filename", __func__); | ||
| 21 | return MG_FORM_FIELD_STORAGE_SKIP; | ||
| 22 | } | ||
| 23 | + remove_dot_segments(filename_dec); | ||
| 24 | + | ||
| 25 | } else { | ||
| 26 | filename_dec[0] = 0; | ||
| 27 | } | ||
diff --git a/meta-networking/recipes-connectivity/civetweb/civetweb/0002-handle_form-example-Upload-to-temporary-directory-an.patch b/meta-networking/recipes-connectivity/civetweb/civetweb/0002-handle_form-example-Upload-to-temporary-directory-an.patch new file mode 100644 index 0000000000..2721eb3b63 --- /dev/null +++ b/meta-networking/recipes-connectivity/civetweb/civetweb/0002-handle_form-example-Upload-to-temporary-directory-an.patch | |||
| @@ -0,0 +1,90 @@ | |||
| 1 | From 69b2b98f009603e669aac9d1a1e57d00769881b2 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: bel2125 <bel2125@gmail.com> | ||
| 3 | Date: Sat, 3 Jul 2021 22:35:50 +0200 | ||
| 4 | Subject: [PATCH] handle_form example: Upload to temporary directory and do | ||
| 5 | some filename checks | ||
| 6 | |||
| 7 | For Windows, determine the temporary directory from the GetTempPath API. | ||
| 8 | |||
| 9 | According to RFC7578, path information should be ignored and you should not | ||
| 10 | overwrite existing files. | ||
| 11 | |||
| 12 | CVE: CVE-2020-27304 | ||
| 13 | |||
| 14 | Upstream-Status: Backport [https://github.com/civetweb/civetweb/commit/b2ed60c589172b37f3d705c69d84313eeb8348b1] | ||
| 15 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 16 | --- | ||
| 17 | examples/embedded_c/embedded_c.c | 51 ++++++++++++++++++++++++++++++-- | ||
| 18 | 1 file changed, 49 insertions(+), 2 deletions(-) | ||
| 19 | |||
| 20 | diff --git a/examples/embedded_c/embedded_c.c b/examples/embedded_c/embedded_c.c | ||
| 21 | index 8956bbce..29ab6b36 100644 | ||
| 22 | --- a/examples/embedded_c/embedded_c.c | ||
| 23 | +++ b/examples/embedded_c/embedded_c.c | ||
| 24 | @@ -258,17 +258,64 @@ field_found(const char *key, | ||
| 25 | size_t pathlen, | ||
| 26 | void *user_data) | ||
| 27 | { | ||
| 28 | +#ifdef _WIN32 | ||
| 29 | + char temppath[MAX_PATH + 2]; | ||
| 30 | + DWORD temppathlen; | ||
| 31 | +#endif | ||
| 32 | + | ||
| 33 | struct mg_connection *conn = (struct mg_connection *)user_data; | ||
| 34 | |||
| 35 | mg_printf(conn, "\r\n\r\n%s:\r\n", key); | ||
| 36 | |||
| 37 | if (filename && *filename) { | ||
| 38 | + | ||
| 39 | + /* According to | ||
| 40 | + * https://datatracker.ietf.org/doc/html/rfc7578#section-4.2: Do not use | ||
| 41 | + * path information present in the filename. Drop all "/" (and "\" for | ||
| 42 | + * Windows). | ||
| 43 | + */ | ||
| 44 | + char *sep = strrchr(filename, '/'); | ||
| 45 | + if (sep) { | ||
| 46 | + memmove(filename, sep + 1, strlen(sep)); | ||
| 47 | + } | ||
| 48 | + | ||
| 49 | #ifdef _WIN32 | ||
| 50 | - _snprintf(path, pathlen, "D:\\tmp\\%s", filename); | ||
| 51 | + sep = strrchr(filename, '\\'); | ||
| 52 | + if (sep) { | ||
| 53 | + memmove(filename, sep + 1, strlen(sep)); | ||
| 54 | + } | ||
| 55 | + | ||
| 56 | + /* For Windows: Find the directory for temporary files */ | ||
| 57 | + temppathlen = GetTempPathA(sizeof(temppath), temppath); | ||
| 58 | + if (temppathlen > 0) { | ||
| 59 | + _snprintf(path, pathlen, "%s\\%s", temppath, filename); | ||
| 60 | + } else { | ||
| 61 | + _snprintf(path, pathlen, "C:\\tmp\\%s", filename); | ||
| 62 | + } | ||
| 63 | #else | ||
| 64 | snprintf(path, pathlen, "/tmp/%s", filename); | ||
| 65 | #endif | ||
| 66 | - return MG_FORM_FIELD_STORAGE_STORE; | ||
| 67 | + | ||
| 68 | + /* According to https://datatracker.ietf.org/doc/html/rfc7578#section-7: | ||
| 69 | + * Do not overwrite existing files. | ||
| 70 | + */ | ||
| 71 | + { | ||
| 72 | + FILE *ftest = fopen(path, "r"); | ||
| 73 | + if (!ftest) { | ||
| 74 | + return MG_FORM_FIELD_STORAGE_STORE; | ||
| 75 | + } | ||
| 76 | + fclose(ftest); | ||
| 77 | + /* This is just simple demo code. More sophisticated code could add | ||
| 78 | + * numbers to the file name to make filenames unique. However, most | ||
| 79 | + * likely file upload will not end up in the temporary path, but in | ||
| 80 | + * a user directory - multiple directories for multiple users that | ||
| 81 | + * are logged into the web service. In this case, users might want | ||
| 82 | + * to overwrite their own code. You need to adapt this example to | ||
| 83 | + * your needs. | ||
| 84 | + */ | ||
| 85 | + } | ||
| 86 | + | ||
| 87 | + return MG_FORM_FIELD_STORAGE_SKIP; | ||
| 88 | } | ||
| 89 | return MG_FORM_FIELD_STORAGE_GET; | ||
| 90 | } | ||
diff --git a/meta-networking/recipes-connectivity/civetweb/civetweb_git.bb b/meta-networking/recipes-connectivity/civetweb/civetweb_git.bb index e9c2056180..1648d13d99 100644 --- a/meta-networking/recipes-connectivity/civetweb/civetweb_git.bb +++ b/meta-networking/recipes-connectivity/civetweb/civetweb_git.bb | |||
| @@ -8,6 +8,8 @@ SRCREV = "4b440a339979852d5a51fb11a822952712231c23" | |||
| 8 | PV = "1.12+git${SRCPV}" | 8 | PV = "1.12+git${SRCPV}" |
| 9 | SRC_URI = "git://github.com/civetweb/civetweb.git;branch=master;protocol=https \ | 9 | SRC_URI = "git://github.com/civetweb/civetweb.git;branch=master;protocol=https \ |
| 10 | file://0001-Unittest-Link-librt-and-libm-using-l-option.patch \ | 10 | file://0001-Unittest-Link-librt-and-libm-using-l-option.patch \ |
| 11 | file://0001-Sanitize-upload-filename-like-URL.patch \ | ||
| 12 | file://0002-handle_form-example-Upload-to-temporary-directory-an.patch \ | ||
| 11 | " | 13 | " |
| 12 | 14 | ||
| 13 | S = "${WORKDIR}/git" | 15 | S = "${WORKDIR}/git" |