Security oops: limited path traversal possible with FileStore.join()
Bug #708663 reported by
Jason Gerard DeRose
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Dmedia |
Fix Released
|
Critical
|
Jason Gerard DeRose |
Bug Description
Just noticed that FileStore.join() allows path traversals to directories that are siblings of FileStore.base and whose names start with basename(base). For example:
>>> from dmedia.filestore import FileStore
>>> store = FileStore(
>>> store.join('..', 'barNone', 'other', 'place')
'/foo/barNone/
This would probably be pretty hard to exploit usefully, but it is none the less a security issue. FileStore.
Changed in dmedia: | |
status: | In Progress → Fix Committed |
Changed in dmedia: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Now this is looks better:
>>> from dmedia.filestore import FileStore '/foo/bar' ) other/place' outside base '/foo/bar'
>>> store = FileStore(
>>> store.join('..', 'barNone', 'other', 'place')
Traceback (most recent call last):
...
FileStoreTraversal: '/foo/barNone/
Will be merging to trunk shortly.