New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A parent directory of the root can be accessed #89

Closed
hayatoito opened this Issue Nov 8, 2016 · 5 comments

Comments

Projects
None yet
3 participants
@hayatoito
Contributor

hayatoito commented Nov 8, 2016

It looks that RequestedPath::new() uses the result of decode_percents(...) without any filtering.
That allows a potential access to a parent directory of the Static's root.

For example, the following request might return the contents of /etc/passwd file.

http://host:port/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd

I guess this behavior is unintentional because this could be an security vulnerability.

@Hoverbear

This comment has been minimized.

Show comment
Hide comment
@Hoverbear

Hoverbear Nov 8, 2016

Member

Hm, I would feel that this is a security risk yes. I would assume desirable behavior would be that you couldn't traverse "up" past the defined root.

Would you like to make a patch for this?

Member

Hoverbear commented Nov 8, 2016

Hm, I would feel that this is a security risk yes. I would assume desirable behavior would be that you couldn't traverse "up" past the defined root.

Would you like to make a patch for this?

@hayatoito

This comment has been minimized.

Show comment
Hide comment
@hayatoito

hayatoito Nov 8, 2016

Contributor

Sure. Let me try.

Contributor

hayatoito commented Nov 8, 2016

Sure. Let me try.

hayatoito added a commit to hayatoito/staticfile that referenced this issue Nov 8, 2016

@Hoverbear

This comment has been minimized.

Show comment
Hide comment
@Hoverbear

Hoverbear Nov 8, 2016

Member

You're the best. :)

Member

Hoverbear commented Nov 8, 2016

You're the best. :)

@untitaker untitaker closed this in #90 Nov 8, 2016

@untitaker

This comment has been minimized.

Show comment
Hide comment
@untitaker

untitaker Nov 8, 2016

Member

Released 0.3.1. Thanks @hayatoito!

Member

untitaker commented Nov 8, 2016

Released 0.3.1. Thanks @hayatoito!

@hayatoito

This comment has been minimized.

Show comment
Hide comment
@hayatoito

hayatoito Nov 9, 2016

Contributor

My pleasure. Thank you for merging!

Contributor

hayatoito commented Nov 9, 2016

My pleasure. Thank you for merging!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment