Re: StaticExports directory traversal

Wed, 29 Oct 2008 11:50:46 -0700 


On Oct 13, 3:34 pm, Vineet Kumar <[EMAIL PROTECTED]> wrote:
> I ended up deciding not to do this now because I noticed that the
> colubrid.server.StaticExports middleware doesn't do anything to
> protect from directory traversal. So with enough '../' in the URL, a
> client can successfully fetch any readable file on the filesystem.

Here's a simple fix; we just check the located resource's absolute
path to ensure that it is a descendant of the exported directory.

Symlinks in the exported directory can still be used to server files
from outside the exported directory, but requests using '../' to try
to escape the exported directory are now disallowed.

# HG changeset patch
# User Vineet Kumar <[EMAIL PROTECTED]>
# Date 1225306171 14400
# Branch trunk
# Node ID 577a1223c45a7e5e94482f1d8470206132bd9616
# Parent  f1845cc66d989a0b0ad170758dd4d8fe78c913c4
Disallow directory traversal in StaticExports.

Ensure that the located resource's absolute path is a descendant
of the exported directory.

diff -r f1845cc66d98 -r 577a1223c45a colubrid/server.py
--- a/colubrid/server.py        Thu Oct 09 13:38:38 2008 -0400
+++ b/colubrid/server.py        Wed Oct 29 14:49:31 2008 -0400
@@ -44,8 +44,10 @@ class StaticExports(object):
             if not search_path.endswith('/'):
                 search_path += '/'
             if path_info.startswith(search_path):
-                real_path = os.path.join(file_path,
path_info[len(search_path):])
-                if os.path.exists(real_path) and
os.path.isfile(real_path):
+                real_path = os.path.abspath(
+                    os.path.join(file_path,
path_info[len(search_path):]))
+                if (os.path.exists(real_path) and
os.path.isfile(real_path)
+                    and
real_path.startswith(os.path.abspath(file_path))):
                     return self.serve_file(real_path, start_response)
         return self.application(environ, start_response)



Vineet
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"pocoo-libs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/pocoo-libs?hl=en
-~----------~----~----~----~------~----~------~--~---























					Reply via email to