Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Directory Traversal Vulnerability #223

Closed
starryloki opened this issue Feb 28, 2022 · 2 comments · Fixed by #224
Closed

Directory Traversal Vulnerability #223

starryloki opened this issue Feb 28, 2022 · 2 comments · Fixed by #224

Comments

@starryloki
Copy link

While qrcp works on receive mode, uploader can edit the file name in HTTP request and add "../". Meanwhile, qrcp doesn't check legality of file name which lead to directory traversal.
Env: qrcp-0.8.4, Windows 10 x86_64, Ubuntu 20.04 x86_64
Poc:
image
image
image

credit: starryloki,lu0sf

@claudiodangelis
Copy link
Owner

Hello, many thanks for spotting & reporting, I will focus on this very soon.
C

@claudiodangelis
Copy link
Owner

claudiodangelis commented Mar 3, 2022

This was apparently an issue on the mime/multipart package of Go itself, which has been fixed 10 months ago, a few weeks after the latest release of qrcp.

Links:

I added a patch, should be all good now, can you please confirm? Thanks

EDIT: patch released as of version 0.8.5.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants