Hi, A ..%2F path traversal vulnerability exists in the path handler of awful-salmonella-tar before version 0.0.4. Attackers can only list directories (not read files). This occurs because the `safe-path?' predicate is not used for directories.
This vulnerability would allow attackers to navigate through the filesystem of the server (provided execute access to directories for the user running the web server). Attackers could only list the contents of directories -- not download files. The vulnerability was caused by the lack of a check for the validity requested paths when handling directories, notably when `..%2F' (`../' URL-encoded) was present in requested paths. Background: awful-samonella-tar [3] is implemented using awful [0]. Awful is implemented on top of spiffy [1], and overrides the `(handle-not-found)' parameter to map URL paths to procedures. Spiffy takes some precautions regarding dealing with malicious paths when it handles static files. Code that uses spiffy to implement generation of dynamic content (like awful does), must take their own precautions. awful-salmonella-tar uses a procedure (`safe-path?') with a relatively strict policy to allow access to files, but it was not being used to validate access to directories, and that was causing the vulnerability. The fix [2] consists of applying the `safe-path?' procedure to all requested paths. Thanks to Chris Brannon for responsibly reporting this issue. This issue has been assigned CVE-2022-25358. [0] https://wiki.call-cc.org/eggref/5/awful [1] https://wiki.call-cc.org/eggref/5/spiffy [2] https://github.com/mario-goulart/awful-salmonella-tar/commit/f705c881769b7610745cd4b4d8ae8b41b3f4f845 [3] https://wiki.call-cc.org/eggref/5/awful-salmonella-tar All the best. Mario -- http://parenteses.org/mario