-
Notifications
You must be signed in to change notification settings - Fork 265
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issue with join #48
Comments
Yeah, this patch needs to go in. @sporkmonger did you look at this? |
I did. It hasn't been ignored, I just hadn't gotten around to explaining why I was rejecting it yet. RFC 3986 has a very specific algorithm for dot segment removal that's given as part of the spec in section 5.2.4. That algorithm is what Addressable uses for dot segment resolution. I'm not inclined to deviate from it or the related algorithms described in section 5.2.2 and section 5.2.3.
If this is a problem for you, you are welcome to fork. |
Though I'll reopen briefly because normalization on that last example probably should not have returned |
I'm not interested and/or sufficiently knowledgeable on this topic to really maintain another fork of what is already a very solid piece of code, however I do think that last example merits some investigation and possibly a fix. I agree and already understand the low security potential of this to people that use better security mechanisms, but I still think this qualifies as a security issue, low-risk as it may be (for well designed apps). Edit: apologies, didn't see your followup just now. |
Yeah, take a look at the associated patch to see what I'm really objecting to. |
Thanks for the links. You are correct regarding my patch being incorrect. I wasn't aware of the behaviour of the multiple slashes in the RFC. As for the security concern, I thought it was a reasonable assumption that someone could (incorrectly) rely on the normalisation to prevent directory traversal attacks. |
Well, it should prevent traversal above root:
Output:
That's the main threat to be concerned about in dot segment resolution. |
Yeah, except if the second parameter is user controlled then it could match my last example. The file system does not treat // as multiple folders so my last example would traverse above the root. Any idea how far off a patch will be for this issue? |
If the second parameter is user-controlled, you can't afford to skip a separate application-level security check to verify you haven't traversed above your web root or whatever sandbox the user should remain within. |
Yeah, I totally agree. I was talking about someone incorrectly using Addressable for the application-level security check though. |
will output the following
The text was updated successfully, but these errors were encountered: