-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Properly evaluate static serving wrt directory traversal attacks #54
Comments
It's not applicable verbatim, but Rocket's security checks for paths might be a good starting point: https://github.com/SergioBenitez/Rocket/blob/master/lib/src/request/param.rs#L328. |
Note that empty components in a path are ignored: With that in mind, a client can currently access any file the server process can access on the host machine using a path like Lines 349 to 350 in 10103f5
Example $ curl -vs http://127.0.0.1:7878//etc/passwd
root:x:0:0:root:/root:/bin/bash
... Possible alternative strategy is
|
Or how does this look to mitigate it? https://github.com/scurest/simple-server/commit/3ed6abe1a61e18f6dfdf3484902945d2a1e23699 We trim the single leading slash, put the rest into a path and iterate over its components, pushing the normals ones onto edit: can make it even simpler. https://github.com/scurest/simple-server/commit/d2ccf63192e1904185913c03e493d59f5e6d8e62 |
We serve static files, and check for
.
and..
in the path. This is probably not enough, but needs to be researched more.The text was updated successfully, but these errors were encountered: