A parent directory of the root can be accessed #89
Labels
Comments
|
Hm, I would feel that this is a security risk yes. I would assume desirable behavior would be that you couldn't traverse "up" past the defined root. Would you like to make a patch for this? |
|
Sure. Let me try. |
hayatoito
added a commit
to hayatoito/staticfile
that referenced
this issue
Nov 8, 2016
|
You're the best. :) |
|
Released 0.3.1. Thanks @hayatoito! |
|
My pleasure. Thank you for merging! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It looks that
RequestedPath::new()uses the result ofdecode_percents(...)without any filtering.That allows a potential access to a parent directory of the Static's
root.For example, the following request might return the contents of
/etc/passwdfile.I guess this behavior is unintentional because this could be an security vulnerability.
The text was updated successfully, but these errors were encountered: