[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Security] The static file emiter is unsafe

From: Nala Ginrut
Subject: [Security] The static file emiter is unsafe
Date: Fri, 30 Oct 2020 22:36:16 +0800
User-agent: mu4e 1.4.13; emacs 27.1

Hi folks!
I found a security issue in our static file emitter, let's see an

If you have a file, say, password.json in `prv' directory, and if you
add `.json' to static emitter with (init-server #:statics '(html js css json))
in ENTRY. Then the URL "/pub/../prv/passwd.json" will expose this
private file.

In theory, this BUG can expose any file in any path if you run Artanis
under root account. I'd strongly suggest you run server in a safe
account, for an instance, www-data.

This bug was fixed in 6ac263b5e6f, the behaviour after fix would force
to use absolute path for static files, that is to say, Artanis will filter
".." in the requested path.

And please keep in mind that you should NEVER put public static files
out of `pub' directory, this is one of the strong convention in Artanis.
Vice versa, you should put private files in `prv' directory.

Comments are welcome.

Best regards.

GNU Powered it
GPL Protected it
GOD Blessed it
HFG - NalaGinrut
Fingerprint F53B 4C56 95B5 E4D5 6093 4324 8469 6772 846A 0058

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]