mirror of
https://github.com/rwf2/Rocket.git
synced 2025-01-09 03:02:45 +00:00
4bc5c20a45
In #134, @tunz discovered that Rocket does not properly prevent path traversal or local file inclusion attacks. The issue is caused by a failure to check for some dangerous characters after decoding. In this case, the path separator '/' was left as-is after decoding. As such, an attacker could construct a path with containing any number of `..%2f..` sequences to traverse the file system. This commit resolves the issue by ensuring that the decoded segment does not contains any `/` characters. It further hardens the `FromSegments` implementation by checking for additional risky characters: ':', '>', '<' as the last character, and '\' on Windows. This is in addition to the already present checks for '.' and '*' as the first character. The behavior for a failing check has also changed. Previously, Rocket would skip segments that contained illegal characters. In this commit, the implementation instead return an error. The `Error` type of the `PathBuf::FromSegment` implementations was changed to a new `SegmentError` type that indicates the condition that failed. Closes #134. |
||
---|---|---|
.. | ||
complete-decorator.rs | ||
custom-content-type.rs | ||
derive_form.rs | ||
dynamic-paths.rs | ||
empty_form.rs | ||
empty-fn.rs | ||
error-handler.rs | ||
issue-1-colliding-names.rs | ||
methods.rs | ||
rank_decorator.rs | ||
segments.rs |