Issue #2 resolved

Directory Traversal in static_resource.erl

gebi
created an issue

Hi,

Thx for your examples showing us how to use webmachine.

I needed the static_resource.erl from your example but after a quick glance at the code and some testing i found the classic directory traversal bug for webservers.

It would be really nice to include a hardened static_ressource in webmachine upstream as it's commonly needed and as we can see not so easy to get right.

% curl -D - http://192.168.0.118:8000/static/../dispatch.conf HTTP/1.1 200 OK Server: MochiWeb/1.1 WebMachine/1.7.1 (participate in the frantic) Date: Sun, 29 Aug 2010 19:52:43 GMT Content-Type: text/plain Content-Length: 111

%%-- mode: erlang -- {[], gameserver_resource, []}. {["static",'*'], static_resource, [{root, "priv/www"}]}.

Comments (2)

  1. Bryan Fink repo owner

    Ah yes, I knew I should have copied earlier work instead of throwing fresh code together (even though this is, very explicitly, demo code that you should not be running anywhere near production).

    I'll probably go for something like Wriaki's static_resource: http://bitbucket.org/basho/wriaki/src/238ccf7787db/apps/wriaki/src/static_resource.erl It just ignores ".." all together. Being smart about ".." is tough, when its behavior across symlinks varies from system to system. I may see what I can do, though…

  2. Log in to comment