Re: StaticExports directory traversal

Wed, 29 Oct 2008 11:57:18 -0700 

I uploaded the patch here:

http://pocoo-libs.googlegroups.com/web/directory-traversal.patch

since it looks like the one I posted in the thread got munged a bit.

On Oct 29, 2:50 pm, Vineet Kumar <[EMAIL PROTECTED]> wrote:
> On Oct 13, 3:34 pm, Vineet Kumar <[EMAIL PROTECTED]> wrote:
>
> > I ended up deciding not to do this now because I noticed that the
> > colubrid.server.StaticExports middleware doesn't do anything to
> > protect from directory traversal. So with enough '../' in the URL, a
> > client can successfully fetch any readable file on the filesystem.
>
> Here's a simple fix; we just check the located resource's absolute
> path to ensure that it is a descendant of the exported directory.
>
> Symlinks in the exported directory can still be used to server files
> from outside the exported directory, but requests using '../' to try
> to escape the exported directory are now disallowed.
>
> # HG changeset patch
> # User Vineet Kumar <[EMAIL PROTECTED]>
> # Date 1225306171 14400
> # Branch trunk
> # Node ID 577a1223c45a7e5e94482f1d8470206132bd9616
> # Parent  f1845cc66d989a0b0ad170758dd4d8fe78c913c4
> Disallow directory traversal in StaticExports.
>
> Ensure that the located resource's absolute path is a descendant
> of the exported directory.
>
> diff -r f1845cc66d98 -r 577a1223c45a colubrid/server.py
> --- a/colubrid/server.py        Thu Oct 09 13:38:38 2008 -0400
> +++ b/colubrid/server.py        Wed Oct 29 14:49:31 2008 -0400
> @@ -44,8 +44,10 @@ class StaticExports(object):
>              if not search_path.endswith('/'):
>                  search_path += '/'
>              if path_info.startswith(search_path):
> -                real_path = os.path.join(file_path,
> path_info[len(search_path):])
> -                if os.path.exists(real_path) and
> os.path.isfile(real_path):
> +                real_path = os.path.abspath(
> +                    os.path.join(file_path,
> path_info[len(search_path):]))
> +                if (os.path.exists(real_path) and
> os.path.isfile(real_path)
> +                    and
> real_path.startswith(os.path.abspath(file_path))):
>                      return self.serve_file(real_path, start_response)
>          return self.application(environ, start_response)
>
> Vineet
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"pocoo-libs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/pocoo-libs?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to