Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A parent directory of the root can be accessed #89

Closed
hayatoito opened this issue Nov 8, 2016 · 5 comments
Closed

A parent directory of the root can be accessed #89

hayatoito opened this issue Nov 8, 2016 · 5 comments
Labels

Comments

@hayatoito
Copy link
Contributor

@hayatoito hayatoito commented Nov 8, 2016

It looks that RequestedPath::new() uses the result of decode_percents(...) without any filtering.
That allows a potential access to a parent directory of the Static's root.

For example, the following request might return the contents of /etc/passwd file.

http://host:port/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd

I guess this behavior is unintentional because this could be an security vulnerability.

@Hoverbear
Copy link
Member

@Hoverbear Hoverbear commented Nov 8, 2016

Hm, I would feel that this is a security risk yes. I would assume desirable behavior would be that you couldn't traverse "up" past the defined root.

Would you like to make a patch for this?

@hayatoito
Copy link
Contributor Author

@hayatoito hayatoito commented Nov 8, 2016

Sure. Let me try.

hayatoito added a commit to hayatoito/staticfile that referenced this issue Nov 8, 2016
@Hoverbear
Copy link
Member

@Hoverbear Hoverbear commented Nov 8, 2016

You're the best. :)

@untitaker untitaker closed this in #90 Nov 8, 2016
@untitaker
Copy link
Member

@untitaker untitaker commented Nov 8, 2016

Released 0.3.1. Thanks @hayatoito!

@hayatoito
Copy link
Contributor Author

@hayatoito hayatoito commented Nov 9, 2016

My pleasure. Thank you for merging!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.