-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issue #7
Comments
Thanks that's very interesting, looking forward to more details on this. |
kaos
added a commit
to kaos/elli_fileserve
that referenced
this issue
Apr 27, 2015
First, there is a test to show that `elli_fileserve:local_path` fails to contain the result within the root `path`. It requires that the requested path is absolute, rather than relative. Hence, a set of tests to show that we indeed can get an absolute path for arbitrary settings of `prefix`. Next commit will address these issues. I've kept them separate to make it easier to verify that the tests indeed point at an issue, and that the following commit does indeed solve them.
kaos
added a commit
to kaos/elli_fileserve
that referenced
this issue
Apr 27, 2015
Make it the responsibility for `elli_fileserver:local_path/2` to make sure it only process relative paths (see note below). Drop the responsibility to remove any leading `/` from `elli_fileserve:unprefix/2` (as it wasn't doing a very good job at it any way). `unprefix_test_` adapted for this change. Note: I think the culprit to this issue may be the oversight of this little piece of information, from the documentation for `filename:join/1`:: Joins a list of file name Components with directory separators. If one of the elements of Components includes an absolute path, for example "/xxx", the preceding elements, if any, are removed from the result.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm about to investigate this, but in my setup I can access arbitrary files (such as
/etc/passwd
) usingelli_fileserve
.I'll include more details in a forthcoming pull request.
The text was updated successfully, but these errors were encountered: