Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

webui security bug #128

Open
arcusfelis opened this Issue · 6 comments

2 participants

@arcusfelis

I found few errors in the etorrent_cowboy_handler.erl file. I can get access to any file on the erlang node throw cowboy:

 telnet 127.0.0.1 8080

GET /../../../../../log/console.log HTTP/1.0
Host: 127.0.0.1

And mimetypes:filename returns undefined (not unknown).

2> mimetypes:filename("test.hrl").
undefined
@jlouis
Owner

Can you with this patch? It attempts being a bit more limiting to what you can put in, but my PropEr test might not be tight enough.

https://github.com/jlouis/etorrent/tree/jlouis-security-sanity

Thanks for reporting it. I'd rather go for something which is not a white-list if possible.

@jlouis
Owner

I'd look into the mimetypes error later today perhaps :)

@arcusfelis

I think the part of the system, which handles requests to the real files must be implemented in the cowboy application. It will be more elegant way to solving this problem.

@jlouis
Owner

I agree. @klaar has been working on writing a static file handler for Cowboy I think, so I can ask him about what he has done there and adopt it.

@ghost

We just merged a simpler version of that into the master branch of extend/cowboy, batteries included!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.