I guess expand_path doesn't interact well with HTTP escaping. This is pretty critical, can you file a ticket against it?
Evan On Dec 28, 2007 5:01 PM, Eric Mason <[EMAIL PROTECTED]> wrote: > I just found a vulnerability in one of my web apps that was running > Mongrel 1.1.2 where I could go to URIs like > /.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd and it > would serve the actual /etc/passwd file. > > The issue seems to be in lib/mongrel/handlers.rb in the change from > 1.0.3 to 1.0.4 > > > req_path = HttpRequest.unescape(path_info) > - if @path > - req_path = File.expand_path(File.join(@path, path_info), @path) > - else > - req_path = File.expand_path(req_path) > - end > - > - if req_path.index(@path) == 0 and File.exist? req_path > - # it exists and it's in the right location > + # Add the drive letter or root path > + req_path = File.join(@path, req_path) if @path > + req_path = File.expand_path req_path > + > + if File.exist? req_path > + # It exists and it's in the right location > if File.directory? req_path > > The main difference is that "req_path.index(@path) == 0" is removed, > which seems to be the cause of the vulnerability. > > Adding that check back in fixes it in 1.1.2, but may cause issues on > Windows (I haven't checked) > > Also, downgrading to 1.0.3 fixes it. > -- > Posted via http://www.ruby-forum.com/. > _______________________________________________ > Mongrel-users mailing list > Mongrel-users@rubyforge.org > http://rubyforge.org/mailman/listinfo/mongrel-users > -- Evan Weaver Cloudburst, LLC _______________________________________________ Mongrel-users mailing list Mongrel-users@rubyforge.org http://rubyforge.org/mailman/listinfo/mongrel-users
