Changeset 32944 in project


Ignore:
Timestamp:
11/29/15 17:23:23 (5 years ago)
Author:
sjamaan
Message:

spiffy: Auto-detect broken CHICKENs/Windows for CVE-2015-8235, so backslashes in paths are allowed in fixed CHICKENs on *nix

File:
1 edited

Legend:

Unmodified
Added
Removed
  • release/4/spiffy/trunk/spiffy.scm

    r32894 r32944  
    388388;; hopefully this causes no additional problems...  This vulnerability
    389389;; was found by Benedikt Rosenau with the Netsparker vulnerability
    390 ;; scanner.  In fixed CHICKENs we should deny the backslash only on
    391 ;; Windows.
    392 (define (impossible-filename? name)
    393   (or (string=? name ".") (string=? name "..")
    394       (string-index name (char-set #\\ #\/ #\nul))))
     390;; scanner.
     391(define impossible-filename?
     392  (let ((invalid-set (if (or ##sys#windows-platform
     393                             ;; This detects CHICKENs with the bug
     394                             (string=? (make-pathname "/" "\\") "/"))
     395                         (char-set #\\ #\/ #\nul)
     396                         (char-set #\/ #\nul))))
     397    (lambda (name)
     398      (or (string=? name ".") (string=? name "..")
     399          (string-index name invalid-set)))))
    395400
    396401(define (process-entry previous-path fragment remaining-path)
Note: See TracChangeset for help on using the changeset viewer.