Comments (6)
sc0tfree
commented on May 18, 2024
1
@justinsteven curious to hear your thoughts. And thanks so much for your contributions!
from updog.
sc0tfree
commented on May 18, 2024
1
I think this is because I'm using os.path.commonprefix instead of os.path.commonpath. Interesting edge case. Thanks!
from updog.
sc0tfree
commented on May 18, 2024
Thanks so much for finding this. I believe that there's no case where path should be blank, which should be a simple addition to
Line 132 in 5566289
Any other thoughts on this?
from updog.
sc0tfree
commented on May 18, 2024
Verified fix. Going to commit.
from updog.
justinsteven
commented on May 18, 2024
Still vulnerable when path is . or ./ or probably other things :(
I think the right fix might be
Line 146 in 39d544a
It should be:
full_path = os.path.join(base_directory, path, filename)
from updog.
justinsteven
commented on May 18, 2024
Looks good to me!
Just one last thing. While testing this patch I noticed something weird :( but barely exploitable
If base_directory is /home/justin/www then doing an upload with path being /home/justin/www_zzzz is deemed valid, and is attempted (I get a Python stacktrace because the www_zzzz directory doesn't exist). Basically, your use of os.path.commonpath can be confused by appending to the directory name itself.
% # This is fine
% curl http://127.0.0.1:9090/upload -F 'file=@/etc/issue' -F 'path=/home/justin/www'
127.0.0.1 - - [19/Feb/2020 14:05:05] "POST /upload HTTP/1.1" 302 -
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to target URL: <a href=""></a>. If not click the link.
% # This is weird
% curl http://127.0.0.1:9090/upload -F 'file=@/etc/issue' -F 'path=/home/justin/www_zzzz'
[2020-02-19 14:05:12,333] ERROR in app: Exception on /upload [POST]
Traceback (most recent call last):
File "/home/justin/.local/lib/python3.7/site-packages/flask/app.py", line 2446, in wsgi_app
response = self.full_dispatch_request()
File "/home/justin/.local/lib/python3.7/site-packages/flask/app.py", line 1951, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/home/justin/.local/lib/python3.7/site-packages/flask/app.py", line 1820, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/home/justin/.local/lib/python3.7/site-packages/flask/_compat.py", line 39, in reraise
raise value
File "/home/justin/.local/lib/python3.7/site-packages/flask/app.py", line 1949, in full_dispatch_request
rv = self.dispatch_request()
File "/home/justin/.local/lib/python3.7/site-packages/flask/app.py", line 1935, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/home/justin/.local/lib/python3.7/site-packages/flask_httpauth.py", line 105, in decorated
return f(*args, **kwargs)
File "/home/justin/.local/lib/python3.7/site-packages/updog/__main__.py", line 149, in upload
file.save(full_path)
File "/home/justin/.local/lib/python3.7/site-packages/werkzeug/datastructures.py", line 3064, in save
dst = open(dst, "wb")
FileNotFoundError: [Errno 2] No such file or directory: '/home/justin/www_zzzz/issue'
127.0.0.1 - - [19/Feb/2020 14:05:12] "POST /upload HTTP/1.1" 500 -
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>500 Internal Server Error</title>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.</p>
Happy to help!
from updog.
Related Issues (20)
- Allow CORS headers to be sent
- avoid leaking full directory path HOT 1
- Potential Security Issues
- Trying to get in touch with you regarding a security issue
- What's updog? HOT 2
- [enhancement] Function to download entire directories as zip archives HOT 1
- sharex
- Open text files such as txt directly in the browser HOT 1
- Interaction via command line?
- Specify a different interface HOT 1
- Using VPN IP Address rather than host HOT 1
- [Proposal] Change directory feature.
- Response Colouring
- Is it possible to upload files via the CLI? HOT 1
- Is it possible to change the logo? HOT 2
- Kali upgrade issue
- interface problem HOT 1
- ImportError for jinja2 on Python 3.10
- Connection timed out Error HOT 1
- when upload file, updog will clear chinese characters in file name HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from updog.