Closed Ryan-ZA closed 10 years ago
Yes this is a security issue but i don't think the solution you propose is the right one to take. I am more lean towards a extra method normalizedPath() in the request that would resolve all . and .. and if the final is not bellow the mount point, return null. If return is null then no path can be resolved so it should become a 404 error
the idea is split on /, all . should be excluded and all .. should exclude itself and the previous one finally it must start with the mount point of the middleware to be totally valid, the last validation should be at the middleware it self (i think...)
Sure, there are better solutions - I just took the solution from the vert.x docs : http://vertx.io/core_manual_java.html#serving-files-directly-from-disk
Given how serious the problem is - any server running Yoke is vulnerable to having all the sensitive files on its filesystem viewed, including source for modules or password files - it seemed like a good idea to propose any solution at all to try and close the hole quickly.
1.0.4 contains a fix for this
Currently you can create an HTTP GET request with ../../../ to access the server's file system.