Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Directory traversal in FileStorage (with on-demand TLS) #2092
1. What version of Caddy are you using (
Clever -- thanks for the report. Fortunately, this is largely mitigated if you don't run Caddy as root (and I think this is the first vulnerability we've had where not running as root can explicitly reduce the problem, due to interactions with the file system).
This is a recent regression, affecting only v0.10.11 and v0.10.12. The distributed solving of the ACME challenge places a lock file on disk which gets cleaned up after the challenge completes (whether it fails or not -- in these cases, it obviously fails) but with the commit I just pushed we now clean up any empty parent folder it may have created for the sake of the lock file. We also sanitize file names -- that wasn't necessary before since all files written would have already been verified by the certificate authority, so they must have been normal domain names.
HostQualifies is perhaps a good place to do more validation in the future, though I want to be careful that that function only returns false if the name is expressly forbidden from being used for managed TLS, not as a hostname in general.
Thanks again! Stay tuned for a new release soon.