Comments (6)
@justinsteven curious to hear your thoughts. And thanks so much for your contributions!
from updog.
I think this is because I'm using os.path.commonprefix
instead of os.path.commonpath
. Interesting edge case. Thanks!
from updog.
Thanks so much for finding this. I believe that there's no case where path should be blank, which should be a simple addition to
Line 132 in 5566289
Any other thoughts on this?
from updog.
Verified fix. Going to commit.
from updog.
Still vulnerable when path
is .
or ./
or probably other things :(
I think the right fix might be
Line 146 in 39d544a
It should be:
full_path = os.path.join(base_directory, path, filename)
from updog.
Looks good to me!
Just one last thing. While testing this patch I noticed something weird :( but barely exploitable
If base_directory
is /home/justin/www
then doing an upload with path
being /home/justin/www_zzzz
is deemed valid, and is attempted (I get a Python stacktrace because the www_zzzz
directory doesn't exist). Basically, your use of os.path.commonpath
can be confused by appending to the directory name itself.
% # This is fine
% curl http://127.0.0.1:9090/upload -F 'file=@/etc/issue' -F 'path=/home/justin/www'
127.0.0.1 - - [19/Feb/2020 14:05:05] "POST /upload HTTP/1.1" 302 -
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to target URL: <a href=""></a>. If not click the link.
% # This is weird
% curl http://127.0.0.1:9090/upload -F 'file=@/etc/issue' -F 'path=/home/justin/www_zzzz'
[2020-02-19 14:05:12,333] ERROR in app: Exception on /upload [POST]
Traceback (most recent call last):
File "/home/justin/.local/lib/python3.7/site-packages/flask/app.py", line 2446, in wsgi_app
response = self.full_dispatch_request()
File "/home/justin/.local/lib/python3.7/site-packages/flask/app.py", line 1951, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/home/justin/.local/lib/python3.7/site-packages/flask/app.py", line 1820, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/home/justin/.local/lib/python3.7/site-packages/flask/_compat.py", line 39, in reraise
raise value
File "/home/justin/.local/lib/python3.7/site-packages/flask/app.py", line 1949, in full_dispatch_request
rv = self.dispatch_request()
File "/home/justin/.local/lib/python3.7/site-packages/flask/app.py", line 1935, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/home/justin/.local/lib/python3.7/site-packages/flask_httpauth.py", line 105, in decorated
return f(*args, **kwargs)
File "/home/justin/.local/lib/python3.7/site-packages/updog/__main__.py", line 149, in upload
file.save(full_path)
File "/home/justin/.local/lib/python3.7/site-packages/werkzeug/datastructures.py", line 3064, in save
dst = open(dst, "wb")
FileNotFoundError: [Errno 2] No such file or directory: '/home/justin/www_zzzz/issue'
127.0.0.1 - - [19/Feb/2020 14:05:12] "POST /upload HTTP/1.1" 500 -
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>500 Internal Server Error</title>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.</p>
Happy to help!
from updog.
Related Issues (20)
- Allow CORS headers to be sent
- avoid leaking full directory path HOT 1
- Potential Security Issues
- Trying to get in touch with you regarding a security issue
- What's updog? HOT 2
- [enhancement] Function to download entire directories as zip archives HOT 1
- sharex
- Open text files such as txt directly in the browser HOT 1
- Interaction via command line?
- Specify a different interface HOT 1
- Using VPN IP Address rather than host HOT 1
- [Proposal] Change directory feature.
- Response Colouring
- Is it possible to upload files via the CLI? HOT 1
- Is it possible to change the logo? HOT 2
- Kali upgrade issue
- interface problem HOT 1
- ImportError for jinja2 on Python 3.10
- Connection timed out Error HOT 1
- when upload file, updog will clear chinese characters in file name HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from updog.