Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

hertz path-traversal bug in windows server #228

Closed
ruokeqx opened this issue Sep 4, 2022 · 0 comments · Fixed by #229
Closed

hertz path-traversal bug in windows server #228

ruokeqx opened this issue Sep 4, 2022 · 0 comments · Fixed by #229
Assignees
Labels
enhancement New feature or request

Comments

@ruokeqx
Copy link
Contributor

ruokeqx commented Sep 4, 2022

Describe the bug

hertz path-traversal bug in windows server.

Hackers can read any file in windows server since there are no backslash restrictions.

Since backslash doesn't work in linux filesystem, the bug works in a very limited production environment.

Screenshots

image

Hertz version:

v0.3.0

Environment:

any windows server any go version and any hertz version

fix suggestion

Replace all backslashes with forwardslashes at the beginning of the normalizePath function.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Development

Successfully merging a pull request may close this issue.

2 participants