Skip to content


Subversion checkout URL

You can clone with
Download ZIP


webui security bug #128

arcusfelis opened this Issue · 6 comments

2 participants


I found few errors in the etorrent_cowboy_handler.erl file. I can get access to any file on the erlang node throw cowboy:

 telnet 8080

GET /../../../../../log/console.log HTTP/1.0

And mimetypes:filename returns undefined (not unknown).

2> mimetypes:filename("test.hrl").

Can you with this patch? It attempts being a bit more limiting to what you can put in, but my PropEr test might not be tight enough.

Thanks for reporting it. I'd rather go for something which is not a white-list if possible.


I'd look into the mimetypes error later today perhaps :)


I think the part of the system, which handles requests to the real files must be implemented in the cowboy application. It will be more elegant way to solving this problem.


I agree. @klaar has been working on writing a static file handler for Cowboy I think, so I can ask him about what he has done there and adopt it.


We just merged a simpler version of that into the master branch of extend/cowboy, batteries included!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.