A parent directory of the root can be accessed #89

Closed
hayatoito opened this Issue Nov 8, 2016 · 5 comments

Projects

None yet

3 participants

@hayatoito
Contributor
hayatoito commented Nov 8, 2016 edited

It looks that RequestedPath::new() uses the result of decode_percents(...) without any filtering.
That allows a potential access to a parent directory of the Static's root.

For example, the following request might return the contents of /etc/passwd file.

http://host:port/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd

I guess this behavior is unintentional because this could be an security vulnerability.

@Hoverbear
Member
Hoverbear commented Nov 8, 2016 edited

Hm, I would feel that this is a security risk yes. I would assume desirable behavior would be that you couldn't traverse "up" past the defined root.

Would you like to make a patch for this?

@hayatoito
Contributor
hayatoito commented Nov 8, 2016 edited

Sure. Let me try.

@hayatoito hayatoito added a commit to hayatoito/staticfile that referenced this issue Nov 8, 2016
@hayatoito hayatoito Normalize the request path
Fixes #89.
00c9313
@Hoverbear
Member

You're the best. :)

@untitaker untitaker closed this in #90 Nov 8, 2016
@untitaker
Member

Released 0.3.1. Thanks @hayatoito!

@hayatoito
Contributor
hayatoito commented Nov 9, 2016 edited

My pleasure. Thank you for merging!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment