Skip to content

Commit

Permalink
fix traversal vulnerability GHSA-pxfv-7rr3-2qjg:
Browse files Browse the repository at this point in the history
the /.cpr endpoint allowed full access to server filesystem,
unless mitigated by prisonparty
  • Loading branch information
9001 committed Jul 14, 2023
1 parent 8f59afb commit 043e3c7
Showing 1 changed file with 9 additions and 1 deletion.
10 changes: 9 additions & 1 deletion copyparty/httpcli.py
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@
Pebkac,
UnrecvEOF,
alltrace,
absreal,
atomic_move,
exclude_dotfiles,
fsenc,
Expand Down Expand Up @@ -779,7 +780,14 @@ def handle_get(self) -> bool:
self.reply(b"", 301, headers=h)
return True

static_path = os.path.join(self.E.mod, "web/", self.vpath[5:])
path_base = os.path.join(self.E.mod, "web")
static_path = absreal(os.path.join(path_base, self.vpath[5:]))
if not static_path.startswith(path_base):
t = "attempted path traversal [{}] => [{}]"
self.log(t.format(self.vpath, static_path), 1)
self.tx_404()
return False

return self.tx_file(static_path)

if "cf_challenge" in self.uparam:
Expand Down

0 comments on commit 043e3c7

Please sign in to comment.