Closed danj2k closed 1 month ago
Yes, the filename
parameter is joined with the (trusted) root
path and then made absolute. If the resulting path is no longer within root
, an error is returned.
See https://github.com/bottlepy/bottle/blob/master/bottle.py#L2868-L2872 and the docstring that says "Read-protected files or files outside of the root
directory are answered with 403 Access Denied
."
I had a quick look at the code and I could see some checks in there, but I was wondering if it has defences against directory traversal?
For example a user requesting a URL like:
http://bottle:8080/path/to/file/../../../../../etc/passwd
Or something similar.
Do any of the existing checks protect against this type of vulnerability?