Fix CVE-2016-6255: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6255 http://www.openwall.com/lists/oss-security/2016/07/18/13 Patch adapted from upstream commit: https://github.com/mrjimenez/pupnp/commit/d64d6a44906b5aa5306bdf1708531d698654dda5 The upstream change is simplified to unconditionally disable the HTTP POST feature. From d64d6a44906b5aa5306bdf1708531d698654dda5 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 23 Feb 2016 13:53:20 -0800 Subject: [PATCH] Don't allow unhandled POSTs to write to the filesystem by default If there's no registered handler for a POST request, the default behaviour is to write it to the filesystem. Several million deployed devices appear to have this behaviour, making it possible to (at least) store arbitrary data on them. Add a configure option that enables this behaviour, and change the default to just drop POSTs that aren't directly handled. Signed-off-by: Marcelo Roberto Jimenez (cherry picked from commit c91a8a3903367e1163765b73eb4d43be7d7927fa) --- configure.ac | 9 +++++++++ upnp/inc/upnpconfig.h.in | 9 +++++++++ upnp/src/genlib/net/http/webserver.c | 4 ++++ 3 files changed, 22 insertions(+) diff --git a/upnp/src/genlib/net/http/webserver.c b/upnp/src/genlib/net/http/webserver.c index 26bf0f7..7ae8c1e 100644 --- a/upnp/src/genlib/net/http/webserver.c +++ b/upnp/src/genlib/net/http/webserver.c @@ -1367,9 +1367,13 @@ static int http_RecvPostMessage( if (Fp == NULL) return HTTP_INTERNAL_SERVER_ERROR; } else { +#if 0 Fp = fopen(filename, "wb"); if (Fp == NULL) return HTTP_UNAUTHORIZED; +#else + return HTTP_NOT_FOUND; +#endif } parser->position = POS_ENTITY; do {