SharedDataMiddleware applies various path sanitisation methods to the incoming paths.
However these "only" handle relative and unix-absolute paths, absolute Windows paths (with drive names) don't get cleaned up properly:
import os
from werkzeug.middleware.shared_data import SharedDataMiddleware
from werkzeug.serving import run_simple
def null(environ, start_response):
start_response('404 NOT FOUND', [('Content-Type', 'text/plain')])
yield b'not found'
app = SharedDataMiddleware(null, {
'/static': os.path.join(os.path.dirname(__file__), 'static'),
})
if __name__ == '__main__':
run_simple('localhost', 5000, app)run script on a windows machine and access http://localhost:5000/static/c:/windows/win.ini
Expected: 404, as when trying to do unix absolute path traversal (sequences of slashes) or relative path traversal (.. path segments).
Observed: the machine's win.ini is returned.
SharedDataMiddleware applies various path sanitisation methods to the incoming paths.
However these "only" handle relative and unix-absolute paths, absolute Windows paths (with drive names) don't get cleaned up properly:
run script on a windows machine and access http://localhost:5000/static/c:/windows/win.ini
Expected: 404, as when trying to do unix absolute path traversal (sequences of slashes) or relative path traversal (
..path segments).Observed: the machine's win.ini is returned.