[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Security] The static file emiter is unsafe
From: |
Jérémy Korwin-Zmijowski |
Subject: |
Re: [Security] The static file emiter is unsafe |
Date: |
Fri, 30 Oct 2020 16:51:38 +0100 |
User-agent: |
Evolution 3.36.4-0ubuntu1 |
Le vendredi 30 octobre 2020 à 22:36 +0800, Nala Ginrut a écrit :
> Hi folks!
> I found a security issue in our static file emitter, let's see an
> example:
>
> If you have a file, say, password.json in `prv' directory, and if you
> add `.json' to static emitter with (init-server #:statics '(html js
> css json))
> in ENTRY. Then the URL "/pub/../prv/passwd.json" will expose this
> private file.
>
> In theory, this BUG can expose any file in any path if you run
> Artanis
> under root account. I'd strongly suggest you run server in a safe
> account, for an instance, www-data.
>
> This bug was fixed in 6ac263b5e6f, the behaviour after fix would
> force
> to use absolute path for static files, that is to say, Artanis will
> filter
> ".." in the requested path.
>
> And please keep in mind that you should NEVER put public static files
> out of `pub' directory, this is one of the strong convention in
> Artanis.
> Vice versa, you should put private files in `prv' directory.
>
> Comments are welcome.
>
> Best regards.
>
>
> --
> GNU Powered it
> GPL Protected it
> GOD Blessed it
> HFG - NalaGinrut
> Fingerprint F53B 4C56 95B5 E4D5 6093 4324 8469 6772 846A 0058
Hey !
Thank you for advertising this point and fixing this bug !
I am about to build a brand new product based on Artanis.
Cheers,
Jérémy