Skip to content

v4.15.3 - Static encoded-separator route bypass fix (GHSA-vfp3-v2gw-7wfq)

Choose a tag to compare

View all tags
@vishr vishr released this 14 Jun 16:17
· 78 commits to master since this release
v4.15.3
8800212
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Security

  • fix(static): reject encoded path separators that bypass route-level middleware by @vishr in #3011

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler (used by Static/StaticFS) and the Static middleware are affected. Backport of the v5 fix (#3009, released in v5.2.0). Thanks to @a-tt-om and @oran-gugu for reporting.

Full Changelog: v4.15.2...v4.15.3

Contributors

vishr, a-tt-om, and oran-gugu
Assets 2
Loading