Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Fix path traversal vulnerability
This change fixes a path traversal vulnerability that would allow attackers to navigate through the filesystem of the server (provided execute access to directories for the user running the web server). Attackers could only list the contents of directories -- not download files. The vulnerability was caused by the lack of a check for the validity requested paths when handling directories, notably when `..%2F' (`../` URL-encoded) was present in requested paths. Background: awful-samonella-tar is implemented using awful [0]. Awful is implemented on top of spiffy [1], and overrides the `(handle-not-found)` parameter to map URL paths to procedures. Spiffy takes some precautions regarding dealing with malicious paths when it handles static files. Code that uses spiffy to implement generation of dynamic content (like awful does), must take their own precautions. awful-salmonella-tar uses a procedure (`safe-path?') with a relatively strict policy to allow access to files, but it was not being used to validate access to directories, and that was causing the vulnerability. This change applies `safe-path?` to all requested paths. Thanks to Chris Brannon for responsibly reporting this issue. [0] https://wiki.call-cc.org/eggref/5/awful [1] https://wiki.call-cc.org/eggref/5/spiffy
- Loading branch information