Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

static file register arbitrary file read #633

Closed
yeahx opened this issue Apr 13, 2017 · 2 comments
Closed

static file register arbitrary file read #633

yeahx opened this issue Apr 13, 2017 · 2 comments

Comments

@yeahx
Copy link
Contributor

yeahx commented Apr 13, 2017

File sanic/sanic/static.py line 46
we can see here is security check

43    async def _handler(request, file_uri=None):
44        # Using this to determine if the URL is trying to break out of the path
45        # served.  os.path.realpath seems to be very slow
46        if file_uri and '../' in file_uri:
47            raise InvalidUsage("Invalid URL")

but at the line 56 in this file,the unquote function decoded file_path
file_path = unquote(file_path)
we only need to "/" url coding can bypass the previous security check
like this:
image

example of vulnerabilities:

#!/usr/bin/env python
#-*- coding:utf-8 -*-
#author: lazyago@gmail.com
from sanic import Sanic
from sanic.response import text


app = Sanic()

app.static('/static', '/var/tmp')

@app.route("/")
async def test(request):
    return text('Hello!')

if __name__ == '__main__':
    app.run(host='127.0.0.1', port=8787, debug=True)
@yeahx yeahx mentioned this issue Apr 13, 2017
Merged
@go2sh
Copy link

go2sh commented Apr 14, 2017

Autsch.

@seemethere
Copy link
Member

Closed with #635

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@go2sh @seemethere @yeahx