[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Security] The static file emiter is unsafe

From: Jérémy Korwin-Zmijowski
Subject: Re: [Security] The static file emiter is unsafe
Date: Fri, 30 Oct 2020 16:51:38 +0100
User-agent: Evolution 3.36.4-0ubuntu1

Le vendredi 30 octobre 2020 à 22:36 +0800, Nala Ginrut a écrit :
> Hi folks!
> I found a security issue in our static file emitter, let's see an
> example:
> If you have a file, say, password.json in `prv' directory, and if you
> add `.json' to static emitter with (init-server #:statics '(html js
> css json))
> in ENTRY. Then the URL "/pub/../prv/passwd.json" will expose this
> private file.
> In theory, this BUG can expose any file in any path if you run
> Artanis
> under root account. I'd strongly suggest you run server in a safe
> account, for an instance, www-data.
> This bug was fixed in 6ac263b5e6f, the behaviour after fix would
> force
> to use absolute path for static files, that is to say, Artanis will
> filter
> ".." in the requested path.
> And please keep in mind that you should NEVER put public static files
> out of `pub' directory, this is one of the strong convention in
> Artanis.
> Vice versa, you should put private files in `prv' directory.
> Comments are welcome.
> Best regards.
> --
> GNU Powered it
> GPL Protected it
> GOD Blessed it
> HFG - NalaGinrut
> Fingerprint F53B 4C56 95B5 E4D5 6093 4324 8469 6772 846A 0058

Hey !

Thank you for advertising this point and fixing this bug !

I am about to build a brand new product based on Artanis.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]