Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

incorrect path escaping #1029

Open
scf37 opened this issue Nov 8, 2018 · 2 comments
Open

incorrect path escaping #1029

scf37 opened this issue Nov 8, 2018 · 2 comments
Labels
bug
Milestone
Finch 1.0

Comments

@scf37
Copy link

scf37 commented Nov 8, 2018

Given route:

get(paths[String]) { p: Seq[String] =>
      Ok(p.toString)
}

GET /../secret prints "List(secret)"
but
GET /%2E%2E/secret prints "List(.., secret)"
and
GET /%2F/etc/passwd prints "List(/, etc, passwd)"

This can be nasty for unsuspecting people serving files from local disk

finch version:0.22.0
@vkostyukov
Copy link
Collaborator

Thanks for the ticket, @scf37!

What happens in version 0.25? Also, which output you think it should yield?

@scf37
Copy link
Author

scf37 commented Nov 8, 2018

0.25 - same behavior.

I believe finch should either sanitize paths properly or do not sanitize them at all.
E.g. /a/../b should produce the same result as /a/%2E%2E/b - either List(b) or List(a, .., b)

Since urlencoded path segments are weird but perfectly RFC-valid, I believe finch should not cut .. segments from the input.

@vkostyukov vkostyukov added the bug label Nov 8, 2018
@vkostyukov vkostyukov modified the milestones: Finch 0.26, Finch 0.27 Nov 8, 2018
@vkostyukov vkostyukov modified the milestones: Finch 0.27, Finch 1.0 Dec 11, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
Finch 1.0
Development

No branches or pull requests
2 participants
@vkostyukov @scf37