Security issue #7
Comments
|
Thanks that's very interesting, looking forward to more details on this. |
kaos
added a commit
to kaos/elli_fileserve
that referenced
this issue
Apr 27, 2015
First, there is a test to show that `elli_fileserve:local_path` fails to contain the result within the root `path`. It requires that the requested path is absolute, rather than relative. Hence, a set of tests to show that we indeed can get an absolute path for arbitrary settings of `prefix`. Next commit will address these issues. I've kept them separate to make it easier to verify that the tests indeed point at an issue, and that the following commit does indeed solve them.
kaos
added a commit
to kaos/elli_fileserve
that referenced
this issue
Apr 27, 2015
Make it the responsibility for `elli_fileserver:local_path/2` to make
sure it only process relative paths (see note below).
Drop the responsibility to remove any leading `/` from
`elli_fileserve:unprefix/2` (as it wasn't doing a very good job at it
any way). `unprefix_test_` adapted for this change.
Note: I think the culprit to this issue may be the oversight of this
little piece of information, from the documentation for
`filename:join/1`::
Joins a list of file name Components with directory
separators. If one of the elements of Components includes an
absolute path, for example "/xxx", the preceding elements, if
any, are removed from the result.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm about to investigate this, but in my setup I can access arbitrary files (such as
/etc/passwd) usingelli_fileserve.I'll include more details in a forthcoming pull request.
The text was updated successfully, but these errors were encountered: