Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Neutralize property backward slashes sequences in StaticHandler #1025

Closed
vietj opened this issue Oct 3, 2018 · 0 comments
Closed

Neutralize property backward slashes sequences in StaticHandler #1025

vietj opened this issue Oct 3, 2018 · 0 comments
Assignees
Labels
Milestone

Comments

@vietj
Copy link
Contributor

vietj commented Oct 3, 2018

CVE-2018-12542: The StaticHandler uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '' (backward slashes) sequences that can resolve to a location that is outside of that directory when running on Windows Operating Systems. This was reported by Vishwanath Viraktamath vviraktamath@vmware.com

@vietj vietj added the bug label Oct 3, 2018
@vietj vietj added this to the 3.5.4 milestone Oct 3, 2018
vietj added a commit that referenced this issue Oct 3, 2018
…pathname that should be within a restricted directory, but it does not properly neutralize '\' (forward slashes) sequences that can resolve to a location that is outside of that directory when running on Windows Operating Systems. - fixes #1025
@vietj vietj closed this as completed Oct 3, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

2 participants