sc0ttj / mongoose

Automatically exported from code.google.com/p/mongoose
MIT License
0 stars 0 forks source link

multi-byte encoded filename and directory #337

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
The mongoose processing multi-byte encoded languages ​​such as Chinese, 
Japanese, Korean, and other.

<pre>
--- mongoose.c.orig 2012-03-31 20:21:36.542238733 +0800
+++ mongoose.c  2012-03-31 20:21:59.498241027 +0800
@@ -953,8 +953,7 @@
    // actually opens "a.cgi", and does not return an error!
   if (*p == 0x20 ||               // No space at the end
       (*p == 0x2e && p > buf) ||  // No '.' but allow '.' as full path
-      *p == 0x2b ||               // No '+'
-      (*p & ~0x7f)) {             // And generally no non-ascii chars
+      *p == 0x2b ) {              // No '+'
     (void) fprintf(stderr, "Rejecting suspicious path: [%s]", buf);
     wbuf[0] = L'\0';
   } else {
</pre>

Original issue reported on code.google.com by thx...@gmail.com on 31 Mar 2012 at 12:48

GoogleCodeExporter commented 8 years ago
Actually 335, 336, 337, 189 and to some extent 105 are the same issue/have the 
same reason. Microsoft states that dots and spaces at the end of a filename are 
removed (http://support.microsoft.com/kb/115827/en-us, 
http://msdn.microsoft.com/en-us/library/aa365247), but non-ascii characters are 
explicitly allowed. I also did not find any indication that + should not be 
allowed. At least urls like script.cgi+ and script.cgi%2B do not open 
script.cgi, so CGI code disclosure should not be an issue here.

Original comment by bel2...@gmail.com on 1 Apr 2012 at 1:02

GoogleCodeExporter commented 8 years ago
Chinese version of the operating system, allowing the file name and directory 
name to use Chinese, Chinese (including CJK) using two bytes greater than 0x7f 
ASCII codes.

Original comment by thx...@gmail.com on 5 Apr 2012 at 1:40

GoogleCodeExporter commented 8 years ago
Exclude greater than 0x7f bytes, mongoose handle CJK coding the directory name 
to be wrong.

Original comment by thx...@gmail.com on 5 Apr 2012 at 1:43

GoogleCodeExporter commented 8 years ago
Issue 336 has been merged into this issue.

Original comment by valenok on 22 Sep 2012 at 12:39

GoogleCodeExporter commented 8 years ago
Issue 189 has been merged into this issue.

Original comment by valenok on 22 Sep 2012 at 12:39

GoogleCodeExporter commented 8 years ago
Issue 105 has been merged into this issue.

Original comment by valenok on 22 Sep 2012 at 12:41

GoogleCodeExporter commented 8 years ago
Issue 335 has been merged into this issue.

Original comment by valenok on 23 Sep 2012 at 1:04