💾 Archived View for gemi.dev › gemini-mailing-list › 000213.gmi captured on 2024-06-16 at 12:49:27. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-12-28)
-=-=-=-=-=-=-
Germinal update! I would like to announce the release of version 0.2 of my Common Lisp Gemini server, Germinal[1]. In this release:
On Sat, Jun 13, 2020 at 10:06:39PM -0400, Jason McBrayer wrote: > The most important of these bug fixes is a fix to a path-traversal bug, > that could have allowed carefully constructed requests to read > world-readable files from outside your Germinal document root. (There > was code to catch path traversals before, but it was wrong, and only > caught simple cases). Path-traversal bugs are scary! Is it worth sharing the details of this so that other server authors can check for analogous bugs in their servers? Or was it highly specific to your programming language or server design? Cheers, Solderpunk
Sure. Originally, I took a very simplistic approach, just eating '../' whenever I saw it in a request. Unfortunately, it didn't handle a bare '..', which meant the parent directory of the document root was listable. Worse, you could construct a request like gemini://my.site/.../...//.../...//etc/passwd to get whatever you wanted, as long as it was locally world-readable. The fix normalizes all pathnames before looking for files, and it checks that the resulting path is under the document root. I pulled in a library to help with this, which I originally wanted to avoid, but pathname handling in Common Lisp is pretty weird, and I felt the library (ppath) was worth it. -- +----------------------------------------------------------------+ | Jason F. McBrayer jmcbray at carcosa.net | | The scalloped tatters of the King in Yellow must hide Yhtill | | forever. R.W. Chambers _The King in Yellow_ |
On Mon, Jun 15, 2020 at 06:55:33AM -0400, Jason McBrayer wrote: > Sure. Originally, I took a very simplistic approach, just eating '../' > whenever I saw it in a request. Unfortunately, it didn't handle a bare > '..', which meant the parent directory of the document root was > listable. Worse, you could construct a request like > gemini://my.site/.../...//.../...//etc/passwd to get whatever you > wanted, as long as it was locally world-readable. > > The fix normalizes all pathnames before looking for files, and it checks > that the resulting path is under the document root. I pulled in a > library to help with this, which I originally wanted to avoid, but > pathname handling in Common Lisp is pretty weird, and I felt the library > (ppath) was worth it. Thanks for sharing this! A good cautionary tale for people quickly throwing together servers. For what it's worth, if Molly Brown detects even a single ".." in a request URL anywhere it immediately returns: "50 Your directory traversal technique has been defeated!\r\n" without even consulting the filesystem. :) Just not worth the risk of trying to get it right, IMHO. Even then, I *still* explicitly check the resultant filesystem path is under the document root, and also explicitly check that it is not equal to the server access log or the TLS cert or key files (which should never inside the document root, but better safe than sorry!). Cheers, Solderpunk
---