Merge pull request #253 from NoiseByNorthwest/fix/251

Web UI: fix unconfined file access via SPX_UI_URI
NoiseByNorthwest · Jul 26, 2024 · f84f2b6 · f84f2b6
2 parents e0a7842 + 9eb2e58
commit f84f2b6
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 0 deletions.
diff --git a/src/php_spx.c b/src/php_spx.c
@@ -924,6 +924,10 @@ static void http_ui_handler_shutdown(void)
         ui_uri = "/index.html";
     }
 
+    if (ui_uri[0] != '/' || strstr(ui_uri, "/../") != NULL) {
+        goto error_404;
+    }
+
     if (0 == http_ui_handler_data(SPX_G(data_dir), ui_uri)) {
         goto finish;
     }

diff --git a/tests/spx_ui_uri_confinement.phpt b/tests/spx_ui_uri_confinement.phpt
@@ -0,0 +1,21 @@
+--TEST--
+UI: URI confinement
+--CGI--
+--INI--
+spx.http_enabled=1
+spx.http_key="dev"
+spx.http_ip_whitelist="127.0.0.1"
+log_errors=on
+--ENV--
+return <<<END
+REMOTE_ADDR=127.0.0.1
+REQUEST_URI=/
+END;
+--GET--
+SPX_KEY=dev&SPX_UI_URI=/js/../../../README.md
+--FILE--
+<?php
+// noop
+?>
+--EXPECT--
+File not found.