Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

multi-byte encoded filename and directory #337

Open
GoogleCodeExporter opened this issue Mar 16, 2015 · 7 comments
Open

multi-byte encoded filename and directory #337

GoogleCodeExporter opened this issue Mar 16, 2015 · 7 comments
Labels
auto-migrated Priority-Medium Type-Defect

Comments

@GoogleCodeExporter
Copy link 

The mongoose processing multi-byte encoded languages ​​such as Chinese, 
Japanese, Korean, and other.

<pre>
--- mongoose.c.orig 2012-03-31 20:21:36.542238733 +0800
+++ mongoose.c  2012-03-31 20:21:59.498241027 +0800
@@ -953,8 +953,7 @@
    // actually opens "a.cgi", and does not return an error!
   if (*p == 0x20 ||               // No space at the end
       (*p == 0x2e && p > buf) ||  // No '.' but allow '.' as full path
-      *p == 0x2b ||               // No '+'
-      (*p & ~0x7f)) {             // And generally no non-ascii chars
+      *p == 0x2b ) {              // No '+'
     (void) fprintf(stderr, "Rejecting suspicious path: [%s]", buf);
     wbuf[0] = L'\0';
   } else {
</pre>

Original issue reported on code.google.com by [email protected] on 31 Mar 2012 at 12:48
@GoogleCodeExporter
Copy link
Author 

Actually 335, 336, 337, 189 and to some extent 105 are the same issue/have the 
same reason. Microsoft states that dots and spaces at the end of a filename are 
removed (http://support.microsoft.com/kb/115827/en-us, 
http://msdn.microsoft.com/en-us/library/aa365247), but non-ascii characters are 
explicitly allowed. I also did not find any indication that + should not be 
allowed. At least urls like script.cgi+ and script.cgi%2B do not open 
script.cgi, so CGI code disclosure should not be an issue here.

Original comment by [email protected] on 1 Apr 2012 at 1:02

@GoogleCodeExporter
Copy link
Author 

Chinese version of the operating system, allowing the file name and directory 
name to use Chinese, Chinese (including CJK) using two bytes greater than 0x7f 
ASCII codes.

Original comment by [email protected] on 5 Apr 2012 at 1:40

@GoogleCodeExporter
Copy link
Author 

Exclude greater than 0x7f bytes, mongoose handle CJK coding the directory name 
to be wrong.

Original comment by [email protected] on 5 Apr 2012 at 1:43

@GoogleCodeExporter
Copy link
Author 

Issue 336 has been merged into this issue.

Original comment by valenok on 22 Sep 2012 at 12:39

@GoogleCodeExporter
Copy link
Author 

Issue 189 has been merged into this issue.

Original comment by valenok on 22 Sep 2012 at 12:39

@GoogleCodeExporter
Copy link
Author 

Issue 105 has been merged into this issue.

Original comment by valenok on 22 Sep 2012 at 12:41

@GoogleCodeExporter
Copy link
Author 

Issue 335 has been merged into this issue.

Original comment by valenok on 23 Sep 2012 at 1:04

This was referenced Mar 16, 2015
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auto-migrated Priority-Medium Type-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GoogleCodeExporter