New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Neutralize property backward slashes sequences in StaticHandler #1025

Closed
vietj opened this Issue Oct 3, 2018 · 0 comments

Comments

2 participants
@vietj
Contributor

vietj commented Oct 3, 2018

CVE-2018-12542: The StaticHandler uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '' (backward slashes) sequences that can resolve to a location that is outside of that directory when running on Windows Operating Systems. This was reported by Vishwanath Viraktamath vviraktamath@vmware.com

@vietj vietj added the bug label Oct 3, 2018

@vietj vietj added this to the 3.5.4 milestone Oct 3, 2018

vietj added a commit that referenced this issue Oct 3, 2018

CVE-2018-12542: The StaticHandler uses external input to construct a …
…pathname that should be within a restricted directory, but it does not properly neutralize '\' (forward slashes) sequences that can resolve to a location that is outside of that directory when running on Windows Operating Systems. - fixes #1025

@vietj vietj closed this Oct 3, 2018

@vietj vietj referenced this issue Oct 3, 2018

Closed

Vert.x 3.5.4 umbrella issue #401

22 of 22 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment