1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
| | Fix CVE-2016-6255:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6255
http://www.openwall.com/lists/oss-security/2016/07/18/13
Patch copied from upstream source repository:
https://github.com/mrjimenez/pupnp/commit/d64d6a44906b5aa5306bdf1708531d698654dda5
From d64d6a44906b5aa5306bdf1708531d698654dda5 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@srcf.ucam.org>
Date: Tue, 23 Feb 2016 13:53:20 -0800
Subject: [PATCH] Don't allow unhandled POSTs to write to the filesystem by
default
If there's no registered handler for a POST request, the default behaviour
is to write it to the filesystem. Several million deployed devices appear
to have this behaviour, making it possible to (at least) store arbitrary
data on them. Add a configure option that enables this behaviour, and change
the default to just drop POSTs that aren't directly handled.
Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
(cherry picked from commit c91a8a3903367e1163765b73eb4d43be7d7927fa)
---
configure.ac | 9 +++++++++
upnp/inc/upnpconfig.h.in | 9 +++++++++
upnp/src/genlib/net/http/webserver.c | 4 ++++
3 files changed, 22 insertions(+)
diff --git a/configure.ac b/configure.ac
index 9548913..a8731b5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -501,6 +501,15 @@ if test "x$enable_blocking_tcp_connections" = xyes ; then
AC_DEFINE(UPNP_ENABLE_BLOCKING_TCP_CONNECTIONS, 1, [see upnpconfig.h])
fi
+RT_BOOL_ARG_ENABLE([scriptsupport], [yes], [script support for IXML document tree, see ixml.h])
+if test "x$enable_scriptsupport" = xyes ; then
+ AC_DEFINE(IXML_HAVE_SCRIPTSUPPORT, 1, [see upnpconfig.h])
+fi
+
+RT_BOOL_ARG_ENABLE([postwrite], [no], [write to the filesystem on otherwise unhandled POST requests])
+if test "x$enable_postwrite" = xyes ; then
+ AC_DEFINE(UPNP_ENABLE_POST_WRITE, 1, [see upnpconfig.h])
+fi
RT_BOOL_ARG_ENABLE([samples], [yes], [compilation of upnp/sample/ code])
diff --git a/upnp/inc/upnpconfig.h.in b/upnp/inc/upnpconfig.h.in
index 7f4facc..5df8c5a 100644
--- a/upnp/inc/upnpconfig.h.in
+++ b/upnp/inc/upnpconfig.h.in
@@ -131,5 +131,14 @@
* header (i.e. configure --enable-unspecified_server) */
#undef UPNP_ENABLE_UNSPECIFIED_SERVER
+/** Defined to 1 if the library has been compiled with OpenSSL support
+ * (i.e. configure --enable-open_ssl) */
+#undef UPNP_ENABLE_OPEN_SSL
+
+/** Defined to 1 if the library has been compiled to support filesystem writes on POST
+ * (i.e. configure --enable-postwrite) */
+#undef UPNP_ENABLE_POST_WRITE
+
+
#endif /* UPNP_CONFIG_H */
diff --git a/upnp/src/genlib/net/http/webserver.c b/upnp/src/genlib/net/http/webserver.c
index 26bf0f7..7ae8c1e 100644
--- a/upnp/src/genlib/net/http/webserver.c
+++ b/upnp/src/genlib/net/http/webserver.c
@@ -1367,9 +1367,13 @@ static int http_RecvPostMessage(
if (Fp == NULL)
return HTTP_INTERNAL_SERVER_ERROR;
} else {
+#ifdef UPNP_ENABLE_POST_WRITE
Fp = fopen(filename, "wb");
if (Fp == NULL)
return HTTP_UNAUTHORIZED;
+#else
+ return HTTP_NOT_FOUND;
+#endif
}
parser->position = POS_ENTITY;
do {
|