Closed Ryan-ZA closed 10 years ago
With the following Yoke code:
Yoke yoke = new Yoke(this).use(new Static("test")).listen(80);
you can make the following http request:
GET /../pom.xml HTTP/1.0
And receive the pom.xml from outside the "test" static contents folder. You can chain ../../ to receive any file on the filesystem as well.
This is a major issue that should be fixed before anybody uses the 'Static' middle-ware on a server connected to the internet.
fixed on 1.0.4
pmlopes
commented
10 years ago pmlopes
commented
10 years ago
With the following Yoke code:
you can make the following http request:
And receive the pom.xml from outside the "test" static contents folder. You can chain ../../ to receive any file on the filesystem as well.
This is a major issue that should be fixed before anybody uses the 'Static' middle-ware on a server connected to the internet.