From a49c688d4841941347e75144ceb0a00b6d2595f7 Mon Sep 17 00:00:00 2001
From: Sergey Lyubka <valenok@gmail.com>
Date: Wed, 24 Aug 2011 12:55:08 +0100
Subject: [PATCH] Fixed directory traversal security issue for windows

---
 mongoose.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/mongoose.c b/mongoose.c
index 9d10a73a..7e5e91d8 100644
--- a/mongoose.c
+++ b/mongoose.c
@@ -889,7 +889,7 @@ static void change_slashes_to_backslashes(char *path) {
 // Encode 'path' which is assumed UTF-8 string, into UNICODE string.
 // wbuf and wbuf_len is a target buffer and its length.
 static void to_unicode(const char *path, wchar_t *wbuf, size_t wbuf_len) {
-  char buf[PATH_MAX], *p;
+  char buf[PATH_MAX], buf2[PATH_MAX], *p;
 
   mg_strlcpy(buf, path, sizeof(buf));
   change_slashes_to_backslashes(buf);
@@ -911,10 +911,17 @@ static void to_unicode(const char *path, wchar_t *wbuf, size_t wbuf_len) {
       *p == 0x2b ||               // No '+'
       (*p & ~0x7f)) {             // And generally no non-ascii chars
     (void) fprintf(stderr, "Rejecting suspicious path: [%s]", buf);
-    buf[0] = '\0';
+    wbuf[0] = L'\0';
+  } else {
+    // Convert to Unicode and back. If doubly-converted string does not
+    // match the original, something is fishy, reject.
+    MultiByteToWideChar(CP_UTF8, 0, buf, -1, wbuf, (int) wbuf_len);
+    WideCharToMultiByte(CP_UTF8, 0, wbuf, (int) wbuf_len, buf2, sizeof(buf2),
+                        NULL, NULL);
+    if (strcmp(buf, buf2) != 0) {
+      wbuf[0] = L'\0';
+    }
   }
-
-  (void) MultiByteToWideChar(CP_UTF8, 0, buf, -1, wbuf, (int) wbuf_len);
 }
 
 #if defined(_WIN32_WCE)