From e16394ed17eb3294ba1802f8f1cca43fcbea3cb2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaime=20P=C3=A9rez=20Crespo?= <jaime.perez@uninett.no>
Date: Tue, 26 Nov 2013 15:10:25 +0000
Subject: [PATCH] Sanitize input in the aggregator module. See issue #593 for
 more info.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3304 44740490-163a-0410-bde0-09ae8108e29a
---
 modules/aggregator/www/arp.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/modules/aggregator/www/arp.php b/modules/aggregator/www/arp.php
index ef7d329ed..f0f7ec9a1 100644
--- a/modules/aggregator/www/arp.php
+++ b/modules/aggregator/www/arp.php
@@ -40,6 +40,16 @@ if (isset($_REQUEST['prefix'])) $prefix = $_REQUEST['prefix'];
 $suffix = '';
 if (isset($_REQUEST['suffix'])) $suffix = $_REQUEST['suffix'];
 
+/* Make sure that the request isn't suspicious (contains references to current
+ * directory or parent directory or anything like that. Searching for './' in the
+ * URL will detect both '../' and './'. Searching for '\' will detect attempts to
+ * use Windows-style paths.
+ */
+if (strpos($attributemap, '\\') !== FALSE) {
+	throw new SimpleSAML_Error_BadRequest('Requested URL contained a backslash.');
+} elseif (strpos($attributemap, './') !== FALSE) {
+	throw new SimpleSAML_Error_BadRequest('Requested URL contained \'./\'.');
+}
 
 $arp = new sspmod_aggregator_ARP($md, $attributemap, $prefix, $suffix);
 
-- 
GitLab