- Notifications
You must be signed in to change notification settings - Fork1.3k
改善 http 服务请求路径相关的一些缺陷#718
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
base:master
Are you sure you want to change the base?
Uh oh!
There was an error while loading.Please reload this page.
Conversation
add hv_normalize_path function to hbase.hsupport http legal relative path requestoptimize http server path file cache map keyfix false positives '/..file' normal path bug
| std::string path = req->Path(); | ||
| constchar* req_path =path.c_str(); | ||
| //path safe check | ||
| if (req_path[0] !='/' ||strstr(req_path,"/..") ||strstr(req_path,"\\..")) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
这里删除了默认的path safe check,会造成能够访问任意上级目录文件
House-MenApr 16, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
hv_normalize_path 函数的处理不会允许访问不合法的上级目录
其中包括下面这段代码片段
while (--pos > 0) {
if (path[pos - 1] == '/') break;
}
if (pos < 1) return 0;
此处对相对父目录的处理是不会允许超出path / 根目录以上的目录层级,而且规范化处理后的path也是不存在/.. \..此类字符串存在的。
添加 hv_normalize_path 函数到 hbase.h
实用的文件路径规范化修剪处理函数,解决路径相关缺陷的关键实现。
支持 http 合法相对路径请求
优化 http 服务器相对路径文件缓存映射键
因为内部文件缓存map的key是文件路径,而未经规范化处理的路径格式存在对相同的文件形成无数种字符变化,易造成原本个位数的真实有效文件被外网恶意请求分配出无数个文件缓存造成内存影响,同时也避免了Windows相比Linux的路径兼容性严格程度不同导致的末尾反斜杠不应该访问成功的请求却能够open成功。
修复误报“/..file”正常文件路径 bug
某些文件确实前面几个点符号造成被误判为相对父路径从而终止了请求。