CERBERUS/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2026-05-13 08:46:45 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fix path traversal. Dots are escaped by % in Lua, not by \.

Browse source
This commit is contained in:
d33tah 2013-09-10 23:42:59 +00:00
parent 5083b40527
commit a0bd430087
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
ncat/scripts/httpd.lua
View file

@ -315,8 +315,8 @@ first_char = resource:sub(0, 1)
--(Windows drive names are not welcome too.)
drive = resource:match("^([a-zA-Z]):")
if first_char == "." or first_char == "/" or first_char == "\\" or drive
or resource:find("/\\.\\./?") or resource:find("\\\\.\\.\\?")
or resource:find("/?\\.\\./") or resource:find("\\?\\.\\.\\") then
or resource:find("/%.%./?") or resource:find("\\%.%.\\?")
or resource:find("/?%.%./") or resource:find("\\?%.%.\\") then
do_403() --no hidden Unix files or simple directory traversal, sorry!
end