directory traversal via crafted timestamps

jsvine / waybackpack

Download the entire Wayback Machine archive for a given URL.

MIT License

2.8k stars 189 forks source link

directory traversal via crafted timestamps #63

Closed jwilk closed 1 year ago

jwilk commented 1 year ago

Waybackpack does not validate timestamps it receives from the Wayback Machine. If the server went rogue, it could put "../" sequences in the timestamp, tricking waybackpack into writing outside the destination directory.

jsvine commented 1 year ago

Good catch, thanks! Now handled in https://github.com/jsvine/waybackpack/commit/1da86a0701f82be6914dd0eb2aa0169a964cb05f and available in v0.5.0. Though do holler if you see anything still amiss.