From f5ae94639bad542e6ae2b57495cb975bd8feb45e Mon Sep 17 00:00:00 2001 From: Floris Bos Date: Sun, 29 Mar 2015 21:02:25 +0200 Subject: httpd: disallow directory traversal Signed-off-by: Floris Bos --- libvncserver/httpd.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'libvncserver/httpd.c') diff --git a/libvncserver/httpd.c b/libvncserver/httpd.c index 12d71a8..2a778e7 100644 --- a/libvncserver/httpd.c +++ b/libvncserver/httpd.c @@ -423,6 +423,14 @@ httpProcessInput(rfbScreenInfoPtr rfbScreen) } } + /* Basic protection against directory traversal outside webroot */ + + if (strstr(fname, "..")) { + rfbErr("httpd: URL should not contain '..'\n"); + rfbWriteExact(&cl, NOT_FOUND_STR, strlen(NOT_FOUND_STR)); + httpCloseSock(rfbScreen); + return; + } /* If we were asked for '/', actually read the file index.vnc */ -- cgit v1.2.3 From 53cc1fa18a3b96d2c31a145d971017564fca39bb Mon Sep 17 00:00:00 2001 From: Rex Dieter Date: Thu, 18 Feb 2016 08:29:07 -0600 Subject: use namespaced rfbMax macro (issue #102) Not using generic 'max', avoids conflicts with stl_algobase.h --- libvncclient/listen.c | 9 +++------ libvncserver/httpd.c | 2 +- libvncserver/rfbserver.c | 2 +- libvncserver/sockets.c | 8 ++++---- rfb/rfbproto.h | 2 +- 5 files changed, 10 insertions(+), 13 deletions(-) (limited to 'libvncserver/httpd.c') diff --git a/libvncclient/listen.c b/libvncclient/listen.c index 739cd9f..e989d6a 100644 --- a/libvncclient/listen.c +++ b/libvncclient/listen.c @@ -30,9 +30,6 @@ #ifdef WIN32 #define close closesocket #include -#ifdef _MINGW32 -#undef max -#endif // #ifdef _MINGW32 #else // #ifdef WIN32 #include #include @@ -99,7 +96,7 @@ listenForIncomingConnections(rfbClient* client) if(listen6Socket >= 0) FD_SET(listen6Socket, &fds); - r = select(max(listenSocket, listen6Socket)+1, &fds, NULL, NULL, NULL); + r = select(rfbMax(listenSocket, listen6Socket)+1, &fds, NULL, NULL, NULL); if (r > 0) { if (FD_ISSET(listenSocket, &fds)) @@ -195,9 +192,9 @@ listenForIncomingConnectionsNoFork(rfbClient* client, int timeout) FD_SET(client->listen6Sock, &fds); if (timeout < 0) - r = select(max(client->listenSock, client->listen6Sock) +1, &fds, NULL, NULL, NULL); + r = select(rfbMax(client->listenSock, client->listen6Sock) +1, &fds, NULL, NULL, NULL); else - r = select(max(client->listenSock, client->listen6Sock) +1, &fds, NULL, NULL, &to); + r = select(rfbMax(client->listenSock, client->listen6Sock) +1, &fds, NULL, NULL, &to); if (r > 0) { diff --git a/libvncserver/httpd.c b/libvncserver/httpd.c index 2a778e7..236ab3e 100644 --- a/libvncserver/httpd.c +++ b/libvncserver/httpd.c @@ -192,7 +192,7 @@ rfbHttpCheckFds(rfbScreenInfoPtr rfbScreen) } tv.tv_sec = 0; tv.tv_usec = 0; - nfds = select(max(rfbScreen->httpListen6Sock, max(rfbScreen->httpSock,rfbScreen->httpListenSock)) + 1, &fds, NULL, NULL, &tv); + nfds = select(rfbMax(rfbScreen->httpListen6Sock, rfbMax(rfbScreen->httpSock,rfbScreen->httpListenSock)) + 1, &fds, NULL, NULL, &tv); if (nfds == 0) { return; } diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c index 34e1c06..68c2de5 100644 --- a/libvncserver/rfbserver.c +++ b/libvncserver/rfbserver.c @@ -369,7 +369,7 @@ rfbNewTCPOrUDPClient(rfbScreenInfoPtr rfbScreen, } FD_SET(sock,&(rfbScreen->allFds)); - rfbScreen->maxFd = max(sock,rfbScreen->maxFd); + rfbScreen->maxFd = rfbMax(sock,rfbScreen->maxFd); INIT_MUTEX(cl->outputMutex); INIT_MUTEX(cl->refCountMutex); diff --git a/libvncserver/sockets.c b/libvncserver/sockets.c index f21f162..aaef14b 100644 --- a/libvncserver/sockets.c +++ b/libvncserver/sockets.c @@ -193,7 +193,7 @@ rfbInitSockets(rfbScreenInfoPtr rfbScreen) rfbLog("Autoprobing selected TCP6 port %d\n", rfbScreen->ipv6port); FD_SET(rfbScreen->listen6Sock, &(rfbScreen->allFds)); - rfbScreen->maxFd = max((int)rfbScreen->listen6Sock,rfbScreen->maxFd); + rfbScreen->maxFd = rfbMax((int)rfbScreen->listen6Sock,rfbScreen->maxFd); #endif } else @@ -220,7 +220,7 @@ rfbInitSockets(rfbScreenInfoPtr rfbScreen) rfbLog("Listening for VNC connections on TCP6 port %d\n", rfbScreen->ipv6port); FD_SET(rfbScreen->listen6Sock, &(rfbScreen->allFds)); - rfbScreen->maxFd = max((int)rfbScreen->listen6Sock,rfbScreen->maxFd); + rfbScreen->maxFd = rfbMax((int)rfbScreen->listen6Sock,rfbScreen->maxFd); } #endif @@ -236,7 +236,7 @@ rfbInitSockets(rfbScreenInfoPtr rfbScreen) rfbLog("Listening for VNC connections on TCP port %d\n", rfbScreen->port); FD_SET(rfbScreen->udpSock, &(rfbScreen->allFds)); - rfbScreen->maxFd = max((int)rfbScreen->udpSock,rfbScreen->maxFd); + rfbScreen->maxFd = rfbMax((int)rfbScreen->udpSock,rfbScreen->maxFd); } } @@ -563,7 +563,7 @@ rfbConnect(rfbScreenInfoPtr rfbScreen, /* AddEnabledDevice(sock); */ FD_SET(sock, &rfbScreen->allFds); - rfbScreen->maxFd = max(sock,rfbScreen->maxFd); + rfbScreen->maxFd = rfbMax(sock,rfbScreen->maxFd); return sock; } diff --git a/rfb/rfbproto.h b/rfb/rfbproto.h index 8e607e5..bb6bfa5 100644 --- a/rfb/rfbproto.h +++ b/rfb/rfbproto.h @@ -93,8 +93,8 @@ #define strncasecmp _strnicmp #endif +#define rfbMax(a,b) (((a)>(b))?(a):(b)) #if !defined(WIN32) || defined(__MINGW32__) -#define max(a,b) (((a)>(b))?(a):(b)) #ifdef LIBVNCSERVER_HAVE_SYS_TIME_H #include #endif -- cgit v1.2.3 From 65106d39627499ace4f1ed8701d3ab6c7f97f56f Mon Sep 17 00:00:00 2001 From: Christian Beier Date: Fri, 25 Nov 2016 15:07:48 +0100 Subject: httpd: rework mime type handling to recognise more types --- libvncserver/httpd.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) (limited to 'libvncserver/httpd.c') diff --git a/libvncserver/httpd.c b/libvncserver/httpd.c index 236ab3e..fe7ac22 100644 --- a/libvncserver/httpd.c +++ b/libvncserver/httpd.c @@ -81,9 +81,7 @@ "Invalid Request\n" \ "

Invalid request

\n" -#define OK_STR "HTTP/1.0 200 OK\r\nConnection: close\r\n\r\n" -#define OK_STR_HTML "HTTP/1.0 200 OK\r\nConnection: close\r\nContent-Type: text/html\r\n\r\n" - +#define OK_STR "HTTP/1.0 200 OK\r\nConnection: close\r\n" static void httpProcessInput(rfbScreenInfoPtr screen); @@ -454,10 +452,18 @@ httpProcessInput(rfbScreenInfoPtr rfbScreen) return; } - if(performSubstitutions) /* is the 'index.vnc' file */ - rfbWriteExact(&cl, OK_STR_HTML, strlen(OK_STR_HTML)); - else - rfbWriteExact(&cl, OK_STR, strlen(OK_STR)); + rfbWriteExact(&cl, OK_STR, strlen(OK_STR)); + char *ext = strrchr(fname, '.'); + char *contentType = ""; + if(ext && strcasecmp(ext, ".vnc") == 0) + contentType = "Content-Type: text/html\r\n"; + else if(ext && strcasecmp(ext, ".css") == 0) + contentType = "Content-Type: text/css\r\n"; + else if(ext && strcasecmp(ext, ".svg") == 0) + contentType = "Content-Type: image/svg+xml\r\n"; + rfbWriteExact(&cl, contentType, strlen(contentType)); + /* end the header */ + rfbWriteExact(&cl, "\r\n", 4); while (1) { int n = fread(buf, 1, BUF_SIZE-1, fd); -- cgit v1.2.3 From 21f8a8d33da3de64b268f5aa2653f46fdb688da0 Mon Sep 17 00:00:00 2001 From: Samuel Mannehed Date: Fri, 2 Dec 2016 12:48:35 +0100 Subject: Write the correct length for end of header Fix for commit 65106d39627499ace4f1ed8701d3ab6c7f97f56f --- libvncserver/httpd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'libvncserver/httpd.c') diff --git a/libvncserver/httpd.c b/libvncserver/httpd.c index fe7ac22..8634b15 100644 --- a/libvncserver/httpd.c +++ b/libvncserver/httpd.c @@ -463,7 +463,7 @@ httpProcessInput(rfbScreenInfoPtr rfbScreen) contentType = "Content-Type: image/svg+xml\r\n"; rfbWriteExact(&cl, contentType, strlen(contentType)); /* end the header */ - rfbWriteExact(&cl, "\r\n", 4); + rfbWriteExact(&cl, "\r\n", 2); while (1) { int n = fread(buf, 1, BUF_SIZE-1, fd); -- cgit v1.2.3