Closed hans362 closed 4 months ago
Thanks a lot for reporting this, will be solved in https://github.com/webp-sh/webp_server_go/pull/331
We came up two ideas for mitigating this:
/
.
or ./
as in current PRDo you have any suggestion on this? @hans362
I would suggest the first solution, which is to deny all request path that doesn't have prefix /
, since this complies with RFC 7230 Section 5.3.1.
If the target URI's path component is empty, the client MUST send "/" as the path within the origin-form of request-target.
Meanwhile, this ensures that path.Clean()
removes all ../
in the request path and will never traverse out of /
so that it can be safely joined with IMG_PATH
.
The second solution cannot mitigate this issue, since the following payload still works.
GET a/../../../test.png HTTP/1.1
Host: 127.0.0.1:23333
Thank you for your explanation, I've updated PR and got it merged, the fix will be available in 0.11.3 (https://github.com/webp-sh/webp_server_go/releases/tag/0.11.3)
Thank you again for helping us to point out this vulnerability, which is very helpful to us! ❤️
Describe the bug By sending a malformed HTTP request directly to
webp_server_go
, attackers can read images (but not files) outsideIMG_PATH
defined in configuration file.To Reproduce Suppose
webp_server_go
is serving at 127.0.0.1:23333 andIMG_PATH
has been set to/opt/pics
. Send the following HTTP request to the server. Note that the URI part does not start with/
./test.png
will be returned if exists, which is outsideIMG_PATH
.Expected behavior Images outside
IMG_PATH
should not be accessible.Screenshots and logs
Environment
Additional context The patch for CVE-2021-46104 is not sufficient.
path.Clean(reqUri)
won't remove all../
ifreqUri
begins with../
.