michalpokusa
commented
1 year ago Baseline testing with adafruit_httpserver 2.5.0, which allows serving static files from the filesystem
root_pathwithout a route. An explicit route will allow accessing a file outside ofroot_path.But also, it is possible using a TCP socket to access files outside of the
root_pathwithout a route (by adding../to a path, for example). Thanks @Neradoc for identifying that in Discord. Typical browsers, and curl, filter that.The current PR disallows ".." (and backslash) in a path. Tested successfully with:
Adafruit CircuitPython 8.1.0-beta.1-31-g4e25a4f6b on 2023-04-18; Adafruit QT Py ESP32S2 with ESP32S2. It is still possible for the user to explicitly allow "/" as theroot_path.LGTM
Thank you for testing @anecdata.
Just a note. It is still also possible to do an explicit route to serve file outside root_path.
~~Part of v3 Milestone, contains some minor breaking changes If possible, please do not make it a separate "Release"~~
This PR prevents accessing files outside root server directory, Previously, when there was a ".." in path it was possible to do that, which was unsecure as users could access files with configuration or secrets, or any other file.
All paths are now checked by default, whether they contain
".."or"\"(backslash) inside. if that is teh sace a403 Forbiddenis returned.In order to keep everything readable in clean, I intruduced custom exceptions, instead of raising e.g.
RunTimeErrororValueErrorwith a comment, nowInvalidPathErrororResponseAlreadySentError.Server's
root_pathis now specified in constructor, not inserver_foreverorpoolmethods.Some minor refactor to separate logic for diffrent smaller tasks inside
HTTPResponse.Updated examples to use new constructor and to use
settings.tomlinstead ofsecrets.py.