Skip to content

WebServer static resource requests can escape the web root and allocate whole files

Summary

The WebServer static-file path still normalizes requests with string replacement and prefixing. It rejects request targets containing the literal .. earlier in the socket parser, but _ProcessFileReq() itself does not canonicalize the final path or prove that the opened file remains under the configured web-server directory.

The same path reads the complete file into a single heap allocation before sending it. If the web upload/file-size preference is set to 0, the size check becomes unlimited and the 64-bit file length is cast to UINT.

Current Main Evidence

  • srchybrid\WebSocket.cpp classifies static resource requests before calling CWebServer::_ProcessFileReq(...).
  • srchybrid\WebServer.cpp::_ProcessFileReq() converts / to \, strips at most one leading slash, prepends thePrefs.GetMuleDirectory(EMULE_WEBSERVERDIR), opens the result, casts file.GetLength() to UINT, allocates new char[filesize], and sends the whole buffer.
  • The file-serving helper is directly reachable from per-connection WebSocket request threads.

Risk

This is primarily a security and memory-hardening issue:

  • encoded, absolute, drive-qualified, UNC, or later-normalized path forms can bypass simple string checks if the caller ever decodes or accepts them before this helper;
  • a defensive helper should reject paths outside the web root even when the caller has already filtered obvious .. strings;
  • full-file buffering makes large static files a denial-of-service risk and keeps a truncation hazard around UINT sizes.

Broadband Fit

This is close-stock hardening. It should not change WebServer semantics except to reject invalid static-resource paths and stream valid files with bounded memory use.

Resolution

Implemented on main with an app-internal static-file seam and bounded streaming in CWebServer::_ProcessFileReq().

Acceptance Criteria

  • [x] canonicalize the requested static path before opening it
  • [x] reject absolute paths, drive-qualified paths, UNC paths, and paths outside EMULE_WEBSERVERDIR
  • [x] keep static-file serving compatible with long paths and localized config roots
  • [x] stream static files in bounded chunks instead of allocating the full file
  • [x] handle 64-bit file sizes consistently when the configured max size is unlimited
  • [x] add targeted WebServer tests for traversal attempts, encoded separators, normal resource serving, and large resource limits