Patch for CVE-2018-7490 in uwsgi
Hi all,
Attached is a wheezy patch for a security issue:
https://security-tracker.debian.org/tracker/CVE-2018-7490
The upstream patch was backported, and source code apparently didn't
change much. Only a small section (~10 lines) from the current uwsgi had
to be added additionally.
It build and runs fine here. But PHP ist not the backend I am using, so:
Anyone with PHP to test?
Kind regards,
Gero
diff -pru a/plugins/php/php_plugin.c b/plugins/php/php_plugin.c
--- a/plugins/php/php_plugin.c 2012-05-14 07:58:20.000000000 +0200
+++ b/plugins/php/php_plugin.c 2018-03-18 09:02:37.550879024 +0100
@@ -22,6 +22,7 @@ struct uwsgi_php {
struct uwsgi_string_list *set;
struct uwsgi_string_list *append_config;
char *docroot;
+ size_t docroot_len;
char *app;
size_t ini_size;
int dump_config;
@@ -642,6 +643,18 @@ int uwsgi_php_init(void) {
uwsgi_log("--- end of PHP custom config ---\n");
}
+ // fix docroot
+ if (uphp.docroot) {
+ char *orig_docroot = uphp.docroot;
+ uphp.docroot = uwsgi_expand_path(uphp.docroot, strlen(uphp.docroot), NULL);
+ if (!uphp.docroot) {
+ uwsgi_log("unable to set php docroot to %s\n", orig_docroot);
+ exit(1);
+ }
+ uwsgi_log("PHP document root set to %s\n", uphp.docroot);
+ uphp.docroot_len = strlen(uphp.docroot);
+ }
+
uwsgi_sapi_module.startup(&uwsgi_sapi_module);
// filling http status codes
@@ -784,6 +797,7 @@ int uwsgi_php_request(struct wsgi_reques
free(filename);
real_filename_len = strlen(real_filename);
+ // first check for valid doc roots
if (uphp.allowed_docroot) {
struct uwsgi_string_list *usl = uphp.allowed_docroot;
while(usl) {
@@ -796,6 +810,16 @@ int uwsgi_php_request(struct wsgi_reques
uwsgi_log("PHP security error: %s is not under an allowed docroot\n", real_filename);
return -1;
}
+ // then for default docroot (if any)
+ else if (uphp.docroot)
+ {
+ if (!uwsgi_starts_with(real_filename, real_filename_len, uphp.docroot, uphp.docroot_len)) {
+ goto secure;
+ }
+ uwsgi_403(wsgi_req);
+ uwsgi_log("PHP security error: %s is not under the default docroot\n", real_filename);
+ return -1;
+}
secure:
Reply to: