Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Neutralize property backward slashes sequences in StaticHandler #1025

Closed
vietj opened this issue Oct 3, 2018 · 0 comments
Closed

Neutralize property backward slashes sequences in StaticHandler #1025

vietj opened this issue Oct 3, 2018 · 0 comments
Assignees
@pmlopes
Labels
bug
Milestone
3.5.4

Comments

@vietj
Copy link
Contributor

vietj commented Oct 3, 2018

CVE-2018-12542: The StaticHandler uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '' (backward slashes) sequences that can resolve to a location that is outside of that directory when running on Windows Operating Systems. This was reported by Vishwanath Viraktamath vviraktamath@vmware.com
@vietj vietj added the bug label Oct 3, 2018
@vietj vietj added this to the 3.5.4 milestone Oct 3, 2018
vietj added a commit that referenced this issue Oct 3, 2018
@vietj
CVE-2018-12542: The StaticHandler uses external input to construct a …
57a65dc 
…pathname that should be within a restricted directory, but it does not properly neutralize '\' (forward slashes) sequences that can resolve to a location that is outside of that directory when running on Windows Operating Systems. - fixes #1025
@vietj vietj closed this as completed Oct 3, 2018
@vietj vietj mentioned this issue Oct 3, 2018
Closed
22 tasks
@LLfam LLfam mentioned this issue Oct 7, 2020
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@pmlopes pmlopes

Labels
bug
Milestone
3.5.4
Development

No branches or pull requests
2 participants
@vietj @pmlopes