Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Passing URL-encoded slash characters (%2F) allows accessing other users' repositories #117

Closed
fd0 opened this issue Sep 12, 2020 · 0 comments
Closed

Passing URL-encoded slash characters (%2F) allows accessing other users' repositories #117

fd0 opened this issue Sep 12, 2020 · 0 comments

Comments

@fd0
Copy link
Member

fd0 commented Sep 12, 2020
edited
Loading

@wojas discovered that it is possible to access other users' repositories (when --private-repos is used) by specifying an URL-encoded slash (/) character (as %2F) and a relative path component. So user foo was able to access the repository of user bar by accessing http://localhost:8000/foo%2F..%2Fbar. This is resolved in v0.10.0.

It is caused by very odd path handling by the goji framework used here. The code prevented accessing any files outside the repository path (--path) though.

I'd like to drop the framework and only use stdlib logic to do path handling, @wojas already started a PR #112.

I'm closing this issue since it is resolved, it was a placeholder issue so we have something to address in the changelog.
@fd0 fd0 changed the title mine Passing URL-encoded slash characters (%2F) allows accessing other users' repositories Sep 13, 2020
@fd0 fd0 closed this as completed Sep 13, 2020
@dimejo dimejo mentioned this issue Sep 21, 2021
Closed
@wojas wojas mentioned this issue Nov 12, 2021
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fd0