Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Absolute path traversal in SharedDataMiddleware on Windows #1589

Closed
xmo-odoo opened this issue Jun 20, 2019 · 0 comments
Closed

Absolute path traversal in SharedDataMiddleware on Windows #1589

xmo-odoo opened this issue Jun 20, 2019 · 0 comments
Assignees
Milestone

Comments

@xmo-odoo
Copy link

@xmo-odoo xmo-odoo commented Jun 20, 2019

SharedDataMiddleware applies various path sanitisation methods to the incoming paths.

However these "only" handle relative and unix-absolute paths, absolute Windows paths (with drive names) don't get cleaned up properly:

import os
from werkzeug.middleware.shared_data import SharedDataMiddleware
from werkzeug.serving import run_simple

def null(environ, start_response):
    start_response('404 NOT FOUND', [('Content-Type', 'text/plain')])
    yield b'not found'

app = SharedDataMiddleware(null, {
    '/static': os.path.join(os.path.dirname(__file__), 'static'),
})

if __name__ == '__main__':
    run_simple('localhost', 5000, app)

run script on a windows machine and access http://localhost:5000/static/c:/windows/win.ini

Expected: 404, as when trying to do unix absolute path traversal (sequences of slashes) or relative path traversal (.. path segments).

Observed: the machine's win.ini is returned.

@davidism davidism added this to the 0.15.5 milestone Jul 9, 2019
@davidism davidism self-assigned this Jul 9, 2019
@davidism davidism closed this Jul 15, 2019
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 13, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants