A parent directory of the root can be accessed

iron / staticfile

Static file-serving middleware for the Iron web framework.

MIT License

63 stars 56 forks source link

A parent directory of the root can be accessed #89

Closed hayatoito closed 7 years ago

hayatoito commented 7 years ago

It looks that RequestedPath::new() uses the result of decode_percents(...) without any filtering. That allows a potential access to a parent directory of the Static's root.

For example, the following request might return the contents of /etc/passwd file.

http://host:port/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd

I guess this behavior is unintentional because this could be an security vulnerability.

Hoverbear commented 7 years ago

Hm, I would feel that this is a security risk yes. I would assume desirable behavior would be that you couldn't traverse "up" past the defined root.

Would you like to make a patch for this?

hayatoito commented 7 years ago

Sure. Let me try.

Hoverbear commented 7 years ago

You're the best. :)

untitaker commented 7 years ago

Released 0.3.1. Thanks @hayatoito!

hayatoito commented 7 years ago

My pleasure. Thank you for merging!