From 8a63a8c8257e5c585ec6fee49f38050dbf20354b Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 25 Jul 2022 09:46:41 +0200 Subject: wkd: Fix path traversal attack on gpg-wks-server. * tools/gpg-wks-server.c (check_and_publish): Check for invalid characters in sender controlled data. * tools/wks-util.c (wks_fname_from_userid): Ditto. (wks_compute_hu_fname): Ditto. (ensure_policy_file): Ditto. --- tools/wks-util.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'tools/wks-util.c') diff --git a/tools/wks-util.c b/tools/wks-util.c index e73f3b16e..3f8e8206d 100644 --- a/tools/wks-util.c +++ b/tools/wks-util.c @@ -790,6 +790,12 @@ wks_fname_from_userid (const char *userid, int hash_only, domain = strchr (addrspec, '@'); log_assert (domain); domain++; + if (strchr (domain, '/') || strchr (domain, '\\')) + { + log_info ("invalid domain detected ('%s')\n", domain); + err = gpg_error (GPG_ERR_NOT_FOUND); + goto leave; + } /* Hash user ID and create filename. */ s = strchr (addrspec, '@'); @@ -845,6 +851,11 @@ wks_compute_hu_fname (char **r_fname, const char *addrspec) if (!domain || !domain[1] || domain == addrspec) return gpg_error (GPG_ERR_INV_ARG); domain++; + if (strchr (domain, '/') || strchr (domain, '\\')) + { + log_info ("invalid domain detected ('%s')\n", domain); + return gpg_error (GPG_ERR_NOT_FOUND); + } gcry_md_hash_buffer (GCRY_MD_SHA1, sha1buf, addrspec, domain - addrspec - 1); hash = zb32_encode (sha1buf, 8*20); @@ -893,6 +904,11 @@ ensure_policy_file (const char *addrspec) if (!domain || !domain[1] || domain == addrspec) return gpg_error (GPG_ERR_INV_ARG); domain++; + if (strchr (domain, '/') || strchr (domain, '\\')) + { + log_info ("invalid domain detected ('%s')\n", domain); + return gpg_error (GPG_ERR_NOT_FOUND); + } /* Create the filename. */ fname = make_filename_try (opt.directory, domain, "policy", NULL); -- cgit v1.2.3