-
Notifications
You must be signed in to change notification settings - Fork 17.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: ServeFile may be insufficiently hardened against misuse #53946
Comments
We could potentially reject names containing ? and % in ServeFile, as evidence of passing an unsanitized, unescaped RequestURI through. |
Would it be a good idea if we reject all requested files that are not within the current working directory tree? If yes, a potential solution could look like this: func ServeFile(w ResponseWriter, r *Request, name string) {
- if containsDotDot(r.URL.Path) {
- // Too many programs use r.URL.Path to construct the argument to
- // serveFile. Reject the request under the assumption that happened
- // here and ".." may not be wanted.
- // Note that name might not contain "..", for example if code (still
- // incorrectly) used filepath.Join(myDir, r.URL.Path).
- Error(w, "invalid URL path", StatusBadRequest)
- return
- }
dir, file := filepath.Split(name)
+ wd, err := os.Getwd()
+ if err != nil {
+ Error(w, "cannot determine current directory", StatusInternalServerError)
+ return
+ }
+ dir := filepath.Join(wd, filepath.FromSlash(path.Clean("/"+dir)))
serveFile(w, r, Dir(dir), file, false)
} i.e., the given |
Change https://go.dev/cl/420414 mentions this issue: |
i'm working on it. But I'm not quite sure. Does it mean we should check and reject the case if u.Path and u.RawQuery inclusion |
i send a cl, just check As for checking the unescaped param, is it appropriate to call |
The
http.ServeFile
function replies to a request with the contents of a named file on the local filesystem.As a hardening measure,
ServeFile
attempts to guard against cases where it is called with an untrusted input as the source filename. In particular,ServeFile
rejects requests wherer.URL.Path
contains a..
path element to protect callers who might user.URL.Path
as a component of the filename.This does not protect users who use a query parameter to construct the filename.
Perhaps we could additionally harden
ServeFile
by checking for..
elements anywhere in the request URI, including query parameters. (What about form values? Would we check them too?)Or perhaps there are some other measures we could take to harden
ServeFile
against misuse.The text was updated successfully, but these errors were encountered: