aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/libupnp-CVE-2016-6255.patch
blob: c9a3fa284ce7187f7664ae16c5a87550d8ca5947 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
Fix CVE-2016-6255:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6255
http://www.openwall.com/lists/oss-security/2016/07/18/13

Patch adapted from upstream commit:

https://github.com/mrjimenez/pupnp/commit/d64d6a44906b5aa5306bdf1708531d698654dda5

The upstream change is simplified to unconditionally disable the HTTP
POST feature.

From d64d6a44906b5aa5306bdf1708531d698654dda5 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@srcf.ucam.org>
Date: Tue, 23 Feb 2016 13:53:20 -0800
Subject: [PATCH] Don't allow unhandled POSTs to write to the filesystem by
 default

If there's no registered handler for a POST request, the default behaviour
is to write it to the filesystem. Several million deployed devices appear
to have this behaviour, making it possible to (at least) store arbitrary
data on them. Add a configure option that enables this behaviour, and change
the default to just drop POSTs that aren't directly handled.

Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net>
(cherry picked from commit c91a8a3903367e1163765b73eb4d43be7d7927fa)
---
 configure.ac                         | 9 +++++++++
 upnp/inc/upnpconfig.h.in             | 9 +++++++++
 upnp/src/genlib/net/http/webserver.c | 4 ++++
 3 files changed, 22 insertions(+)

diff --git a/upnp/src/genlib/net/http/webserver.c b/upnp/src/genlib/net/http/webserver.c
index 26bf0f7..7ae8c1e 100644
--- a/upnp/src/genlib/net/http/webserver.c
+++ b/upnp/src/genlib/net/http/webserver.c
@@ -1367,9 +1367,13 @@ static int http_RecvPostMessage(
 		if (Fp == NULL)
 			return HTTP_INTERNAL_SERVER_ERROR;
 	} else {
+#if 0
 		Fp = fopen(filename, "wb");
 		if (Fp == NULL)
 			return HTTP_UNAUTHORIZED;
+#else
+		return HTTP_NOT_FOUND;
+#endif
 	}
 	parser->position = POS_ENTITY;
 	do {