Skip to content

os, net/http: avoid escapes from os.DirFS and http.Dir on Windows CVE-2022-41720 #56694

@neild

Description

@neild

This is a PRIVATE issue for CVE-2022-41720 tracked in http://b/257275141.

os, net/http: avoid escapes from os.DirFS and http.Dir on Windows

The os.DirFS function and http.Dir type provide access to a tree of files
rooted at a given directory. These functions permitted access to Windows
device files under that root. For example, os.DirFS("C:/tmp").Open("COM1")
would open the COM1 device.
Both os.DirFS and http.Dir only provide read-only filesystem access.

In addition, on Windows, an os.DirFS for the directory \(the root of the
current drive) can permit a maliciously crafted path to escape from the
drive and access any path on the system.

The behavior of os.DirFS("") has changed. Previously, an empty root was
treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp".
This now returns an error.

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions