Closed hayatoito closed 7 years ago
Hm, I would feel that this is a security risk yes. I would assume desirable behavior would be that you couldn't traverse "up" past the defined root.
Would you like to make a patch for this?
Sure. Let me try.
You're the best. :)
Released 0.3.1. Thanks @hayatoito!
My pleasure. Thank you for merging!
It looks that
RequestedPath::new()
uses the result ofdecode_percents(...)
without any filtering. That allows a potential access to a parent directory of the Static'sroot
.For example, the following request might return the contents of
/etc/passwd
file.I guess this behavior is unintentional because this could be an security vulnerability.