Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Arbitrary path traversal possible with StaticFiles #981

Closed
erinpentecost opened this issue Jun 23, 2020 · 1 comment · Fixed by #985
Closed

Arbitrary path traversal possible with StaticFiles #981

erinpentecost opened this issue Jun 23, 2020 · 1 comment · Fixed by #985

Comments

@erinpentecost
Copy link

If you pass in an absolute path by using an URL formatted like this: http://localhost:5000/staticmount/c%3a%5cwindows%5cwin.ini

Then you can read any file on the host machine.

This is because of the following python behavior:

>>> dir = "c:\workspace\somepoject\somepackag\statics"
>>> path = "c:\windows\win.ini"
>>> os.path.join(dir, path)
'c:\\windows\\win.ini'

So staticfiles.py needs to be updated by placing in a check for absolute paths inside lookup_path(...).
@tomchristie
Copy link
Member

Thanks. We're checking and handling path breakouts, but we've obviously not covered the windows-specific case of breaking out using a drive-absolute path. Will have a look into resolving this as a priority.

@tomchristie tomchristie mentioned this issue Jun 25, 2020
Merged
@jamesag26 jamesag26 mentioned this issue Jul 21, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

More robust path-traversal check in StaticFiles app encode/starlette
2 participants
@tomchristie @erinpentecost