GET //etc/passwd HTTP/1.0 I noticed the check for "/." in the path and I chuckle... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

Arch-TK on Aug 1, 2021 | parent | context | favorite | on: Show HN: Micro HTTP server in 22 lines of C

GET //etc/passwd HTTP/1.0

I noticed the check for "/." in the path and I chuckled.

I think if you strip all leading forward slashes and check for "/." then you may have it be "secure" on linux at least.

Your best bet for fixing this on windows is making sure the code never compiles on windows because god knows what on earth the path handling is like on windows.

jpegqs on Aug 1, 2021 | [–]

Good point, I need add something like b[3]='.', an then use b+3 as a path, not b+5, to fix that vulnerability.

Update: I fixed this on github.

jpegqs on Aug 1, 2021 | [–]

And now it compiles on Windows, at least with Msys2. I'm updating the code on github.

Consider applying for YC's Spring batch! Applications are open till Feb 11.
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact