Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A parent directory of the root can be accessed #89

Closed
hayatoito opened this issue Nov 8, 2016 · 5 comments
Closed

A parent directory of the root can be accessed #89

hayatoito opened this issue Nov 8, 2016 · 5 comments
Labels
bug help wanted

Comments

@hayatoito
Copy link
Contributor

hayatoito commented Nov 8, 2016
edited

It looks that RequestedPath::new() uses the result of decode_percents(...) without any filtering.
That allows a potential access to a parent directory of the Static's root.

For example, the following request might return the contents of /etc/passwd file.

http://host:port/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd

I guess this behavior is unintentional because this could be an security vulnerability.
@Hoverbear
Copy link

Hoverbear commented Nov 8, 2016
edited

Hm, I would feel that this is a security risk yes. I would assume desirable behavior would be that you couldn't traverse "up" past the defined root.

Would you like to make a patch for this?

@hayatoito
Copy link
Contributor Author

hayatoito commented Nov 8, 2016
edited

Sure. Let me try.

hayatoito added a commit to hayatoito/staticfile that referenced this issue Nov 8, 2016
@hayatoito
Normalize the request path
00c9313 
Fixes iron#89.
@hayatoito hayatoito mentioned this issue Nov 8, 2016
Merged
@Hoverbear
Copy link

You're the best. :)

@untitaker
Copy link
Member

Released 0.3.1. Thanks @hayatoito!

@hayatoito
Copy link
Contributor Author

hayatoito commented Nov 9, 2016
edited

My pleasure. Thank you for merging!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Hoverbear @hayatoito @untitaker