webui security bug

[arcusfelis]

I found few errors in the etorrent_cowboy_handler.erl file. I can get access to any file on the erlang node throw cowboy:

 telnet 127.0.0.1 8080

GET /../../../../../log/console.log HTTP/1.0
Host: 127.0.0.1

And mimetypes:filename returns undefined (not unknown).

2> mimetypes:filename("test.hrl").
undefined

[jlouis]

Can you with this patch? It attempts being a bit more limiting to what you can put in, but my PropEr test might not be tight enough.

https://github.com/jlouis/etorrent/tree/jlouis-security-sanity

Thanks for reporting it. I'd rather go for something which is not a white-list if possible.

[jlouis]

I'd look into the mimetypes error later today perhaps :)

[arcusfelis]

I think the part of the system, which handles requests to the real files must be implemented in the cowboy application. It will be more elegant way to solving this problem.

[jlouis]

I agree. @klaar has been working on writing a static file handler for Cowboy I think, so I can ask him about what he has done there and adopt it.

[arcusfelis]

I found it: https://github.com/klaar/cowboy_static.git

[ghost]

We just merged a simpler version of that into the master branch of extend/cowboy, batteries included!