Not all relative paths are filtered

tobias commented

2020-06-13 14:52:32 -04:00

Contributor

a URL ending in .. is resolved; thus one can list the directory the document root is in. Access is denied since ../ is filtered.

a URL ending in `..` is resolved; thus one can list the directory the document root is in. Access is denied since `../` is filtered.

jmcbray commented

2020-06-13 15:38:03 -04:00

Owner

Hecko, thanks for finding this. I think your comment on #17 is supposed to be on this one...

tobias commented

2020-06-13 15:50:30 -04:00

Author

Contributor

Jup, the comment was intended to go here. Besides fixing this, I was also thinking whether following symlinks is needed. Otherwise one could restrict access also with realpath to be within the document root.
Thanks to this bug is was able to verify that the systemd sandboxing is working (#15)

Jup, the comment was intended to go here. Besides fixing this, I was also thinking whether following symlinks is needed. Otherwise one could restrict access also with realpath to be within the document root. Thanks to this bug is was able to verify that the systemd sandboxing is working (#15)

jmcbray commented

2020-06-13 16:18:12 -04:00

Owner

I think we do not want to follow symlinks, IMO. I was just about to go look up how to canonicalize paths. I've temporarily pushed a super crappy quick fix, but I think your suggestion should be the real fix.

tobias commented

2020-06-13 16:31:39 -04:00

Author

Contributor

Thank you

tobias closed this issue

2020-06-13 16:31:39 -04:00

Rows
Columns

Not all relative paths are filtered #16