Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Absolute path traversal in SharedDataMiddleware on Windows #1589

Closed
xmo-odoo opened this issue Jun 20, 2019 · 0 comments

Comments

@xmo-odoo
Copy link

commented Jun 20, 2019

SharedDataMiddleware applies various path sanitisation methods to the incoming paths.

However these "only" handle relative and unix-absolute paths, absolute Windows paths (with drive names) don't get cleaned up properly:

import os
from werkzeug.middleware.shared_data import SharedDataMiddleware
from werkzeug.serving import run_simple

def null(environ, start_response):
    start_response('404 NOT FOUND', [('Content-Type', 'text/plain')])
    yield b'not found'

app = SharedDataMiddleware(null, {
    '/static': os.path.join(os.path.dirname(__file__), 'static'),
})

if __name__ == '__main__':
    run_simple('localhost', 5000, app)

run script on a windows machine and access http://localhost:5000/static/c:/windows/win.ini

Expected: 404, as when trying to do unix absolute path traversal (sequences of slashes) or relative path traversal (.. path segments).

Observed: the machine's win.ini is returned.

@davidism davidism added this to the 0.15.5 milestone Jul 9, 2019

@davidism davidism self-assigned this Jul 9, 2019

@davidism davidism closed this Jul 15, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.