[BUG] Relative Path traversal in file_browser

[ktg9]

Is there an existing issue for this?

• [X] I have searched the existing Issues

Current Behavior

Hi there, I would like to report a path traversal in mezzanine. The request /admin/media-library/browse/?o=date&ot=desc&dir= is used to retrieved files and folder in directory inside Media Library management. However, dir is not checked for path traversal and thus allowing hackers to retrieve file all file contents under /media folder.

Expected Behavior

Mezzanine should have blocked the use of .. in path request

Steps To Reproduce

I will use your demo site as an example

1. Access the link http://mezzanine.jupo.org/en/admin/media-library/browse/?ot=desc&o=date&dir=dgray/../../../media/ and log in using demo account
2. See that you can see all folders/files under /media directory.

Environment

- Operating System:
- Python version:
- Django version:
- Database engine and version:
- Mezzanine version:

Anything else?

No response

[github-actions[bot]]

:tada: This issue has been resolved in version 1.1.1 :tada:

The release is available on:

• GitHub release
• v1.1.1

Your semantic-release bot :package::rocket:

[ktg9]

Hi there, could you please validate the issue on huntr.dev for me? Here is the link https://huntr.dev/bounties/63138b59-6c92-4581-aac4-57f42baf1af4/

[ktg9]

@jerivas could you validate this for me? https://huntr.dev/bounties/63138b59-6c92-4581-aac4-57f42baf1af4/

[jerivas]

I marked the report as valid, but it was created against Mezzanine and I can't report the fix since it was applied to filebrowser_safe. Could you update the report to relate it to this repo?

[ktg9]

HI there @jerivas , I tried and think that there's no way we can update the report to relate to this repo. So I think we just leave like that.