💾 Archived View for rawtext.club › ~sloum › geminilist › 001694.gmi captured on 2020-10-31 at 02:27:31. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2020-09-24)
-=-=-=-=-=-=-
solderpunk solderpunk at SDF.ORG
Mon Jun 15 12:01:14 BST 2020
- - - - - - - - - - - - - - - - - - -
On Mon, Jun 15, 2020 at 06:55:33AM -0400, Jason McBrayer wrote:
Sure. Originally, I took a very simplistic approach, just eating '../'
whenever I saw it in a request. Unfortunately, it didn't handle a bare
'..', which meant the parent directory of the document root was
listable. Worse, you could construct a request like
gemini://my.site/.../...//.../...//etc/passwd to get whatever you
wanted, as long as it was locally world-readable.
The fix normalizes all pathnames before looking for files, and it checks
that the resulting path is under the document root. I pulled in a
library to help with this, which I originally wanted to avoid, but
pathname handling in Common Lisp is pretty weird, and I felt the library
(ppath) was worth it.
Thanks for sharing this! A good cautionary tale for people quicklythrowing together servers.
For what it's worth, if Molly Brown detects even a single ".." in arequest URL anywhere it immediately returns:
"50 Your directory traversal technique has been defeated!\r\n"
without even consulting the filesystem. :) Just not worth the risk oftrying to get it right, IMHO. Even then, I *still* explicitly checkthe resultant filesystem path is under the document root, and alsoexplicitly check that it is not equal to the server access log or theTLS cert or key files (which should never inside the document root,but better safe than sorry!).
Cheers,Solderpunk