Dmedia

Security oops: limited path traversal possible with FileStore.join()

Bug #708663 reported by Jason Gerard DeRose on 2011-01-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Dmedia	Fix Released	Critical	Jason Gerard DeRose	Dmedia 0.4 "forplay"

Bug Description

Just noticed that FileStore.join() allows path traversals to directories that are siblings of FileStore.base and whose names start with basename(base). For example:

>>> from dmedia.filestore import FileStore
>>> store = FileStore('/foo/bar')
>>> store.join('..', 'barNone', 'other', 'place')
'/foo/barNone/other/place'

This would probably be pretty hard to exploit usefully, but it is none the less a security issue. FileStore.create_parent() has the same problem.

Tags:

Related branches

lp:~jderose/dmedia/path-traversal-oops (Merged)

lp:dmedia

Revision history for this message

Jason Gerard DeRose (jderose) wrote on 2011-01-27:

Now this is looks better:

>>> from dmedia.filestore import FileStore
>>> store = FileStore('/foo/bar')
>>> store.join('..', 'barNone', 'other', 'place')
Traceback (most recent call last):
...
FileStoreTraversal: '/foo/barNone/other/place' outside base '/foo/bar'

Will be merging to trunk shortly.

Jason Gerard DeRose (jderose) on 2011-01-27

Changed in dmedia:
status:	In Progress → Fix Committed

Jason Gerard DeRose (jderose) on 2011-02-23

Changed in dmedia:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.