mirror of https://github.com/rwf2/Rocket.git
4bc5c20a45
In #134, @tunz discovered that Rocket does not properly prevent path traversal or local file inclusion attacks. The issue is caused by a failure to check for some dangerous characters after decoding. In this case, the path separator '/' was left as-is after decoding. As such, an attacker could construct a path with containing any number of `..%2f..` sequences to traverse the file system. This commit resolves the issue by ensuring that the decoded segment does not contains any `/` characters. It further hardens the `FromSegments` implementation by checking for additional risky characters: ':', '>', '<' as the last character, and '\' on Windows. This is in addition to the already present checks for '.' and '*' as the first character. The behavior for a failing check has also changed. Previously, Rocket would skip segments that contained illegal characters. In this commit, the implementation instead return an error. The `Error` type of the `PathBuf::FromSegment` implementations was changed to a new `SegmentError` type that indicates the condition that failed. Closes #134. |
||
|---|---|---|
| .. | ||
| complete-decorator.rs | ||
| custom-content-type.rs | ||
| derive_form.rs | ||
| dynamic-paths.rs | ||
| empty-fn.rs | ||
| empty_form.rs | ||
| error-handler.rs | ||
| issue-1-colliding-names.rs | ||
| methods.rs | ||
| rank_decorator.rs | ||
| segments.rs | ||