Patch for CVE-2018-7490 in uwsgi

To: debian-lts@lists.debian.org
Subject: Patch for CVE-2018-7490 in uwsgi
From: Gero Treuner <gt_72_debian.org@innocircle.com>
Date: Sun, 18 Mar 2018 10:02:10 +0100
Message-id: <[🔎] 20180318090210.GF15811@innocircle.com>

Hi all,

Attached is a wheezy patch for a security issue:
https://security-tracker.debian.org/tracker/CVE-2018-7490

The upstream patch was backported, and source code apparently didn't
change much. Only a small section (~10 lines) from the current uwsgi had
to be added additionally.

It build and runs fine here. But PHP ist not the backend I am using, so:
Anyone with PHP to test?


Kind regards,
   Gero

diff -pru a/plugins/php/php_plugin.c b/plugins/php/php_plugin.c
--- a/plugins/php/php_plugin.c	2012-05-14 07:58:20.000000000 +0200
+++ b/plugins/php/php_plugin.c	2018-03-18 09:02:37.550879024 +0100
@@ -22,6 +22,7 @@ struct uwsgi_php {
 	struct uwsgi_string_list *set;
 	struct uwsgi_string_list *append_config;
 	char *docroot;
+	size_t docroot_len;
 	char *app;
 	size_t ini_size;
 	int dump_config;
@@ -642,6 +643,18 @@ int uwsgi_php_init(void) {
 		uwsgi_log("--- end of PHP custom config ---\n");
 	}
 
+	// fix docroot
+	if (uphp.docroot) {
+		char *orig_docroot = uphp.docroot;
+		uphp.docroot = uwsgi_expand_path(uphp.docroot, strlen(uphp.docroot), NULL);
+		if (!uphp.docroot) {
+			uwsgi_log("unable to set php docroot to %s\n", orig_docroot);
+			exit(1);
+		}
+		uwsgi_log("PHP document root set to %s\n", uphp.docroot);
+		uphp.docroot_len = strlen(uphp.docroot);
+	}
+
 	uwsgi_sapi_module.startup(&uwsgi_sapi_module);
 
 	// filling http status codes
@@ -784,6 +797,7 @@ int uwsgi_php_request(struct wsgi_reques
 	free(filename);
 	real_filename_len = strlen(real_filename);
 
+	// first check for valid doc roots
 	if (uphp.allowed_docroot) {
 		struct uwsgi_string_list *usl = uphp.allowed_docroot;
 		while(usl) {
@@ -796,6 +810,16 @@ int uwsgi_php_request(struct wsgi_reques
 		uwsgi_log("PHP security error: %s is not under an allowed docroot\n", real_filename);
 		return -1;
 	}
+	// then for default docroot (if any)
+	else if (uphp.docroot)
+	{
+		if (!uwsgi_starts_with(real_filename, real_filename_len, uphp.docroot, uphp.docroot_len)) {
+			goto secure;
+		}
+		uwsgi_403(wsgi_req);
+		uwsgi_log("PHP security error: %s is not under the default docroot\n", real_filename);
+		return -1;
+}
 
 secure:

Reply to:

Follow-Ups:
- Re: Patch for CVE-2018-7490 in uwsgi
  - From: Abhijith PA <abhijith@disroot.org>

Prev by Date: Re: tiff / CVE-2018-7456
Next by Date: Re: Patch for CVE-2018-7490 in uwsgi
Previous by thread: Re: Bug#892590: Review graphite2
Next by thread: Re: Patch for CVE-2018-7490 in uwsgi
Index(es):
- Date
- Thread