Issue 10068

Title
Directory loader can escape root directory
Priority
bug
Status
resolved
Nosy list
bch, ced, nicoe, pokoli, reviewbot, roundup-bot, sharkcz, yangoon
Assigned to
ced
Keywords
review

Created on 2021-02-08.10:20:48 by ced, last changed 4 months ago by roundup-bot.

Messages

New changeset 572f104db848 by Cédric Krier in branch 'default':
Use safe_join in SharedDataMiddlewareIndex
https://hg.tryton.org/tryton-env/rev/572f104db848
New changeset bdea3f9af35f by Cédric Krier in branch 'default':
Use safe_join in SharedDataMiddlewareIndex
https://hg.tryton.org/trytond/rev/bdea3f9af35f

New changeset 351b776b15e1 by Cédric Krier in branch '5.8':
Use safe_join in SharedDataMiddlewareIndex
https://hg.tryton.org/trytond/rev/351b776b15e1

New changeset 69ea25e4e4b5 by Cédric Krier in branch '5.6':
Use safe_join in SharedDataMiddlewareIndex
https://hg.tryton.org/trytond/rev/69ea25e4e4b5

New changeset b210cd3452af by Cédric Krier in branch '5.0':
Use safe_join in SharedDataMiddlewareIndex
https://hg.tryton.org/trytond/rev/b210cd3452af
Author: [hidden] (pokoli) Tryton committer Tryton translator
Date: 2021-02-09.18:34:48

I reproduced the issue when using a reverse-proxy like nginx so probably it depends on the setup. As we are just redirecting all requests to uwsgi it make sense for me that it's exploitable.

The propsed release schedule makes sense for me, indeed if it's possible to publish it sooner it will be great.

Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2021-02-08.10:27:43

Here is review333851027. I keep a fallback on posixpath.join because we do not have a minimal version for werkzeug and safe_join was added in 0.7 only.

As the issue has been made public for a short time, I think we should accelerate the publication. I propose the 12/02/2021 at 10:00 CET.

Side note: I could not reproduce it when trytond is running behind a reverse-proxy like nginx

Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2021-02-08.10:20:48

From https://discuss.tryton.org/t/uwsgi-is-vulnerable-to-a-directory-traversal-problem-on-2-0-19-1/3780.
Our override of SharedDataMiddleware.get_directory_loader did include the usage of <code>safe_join</code>. So it is possible to escape the root directory.

History
Date User Action Args
2021-02-12 10:22:07roundup-botsetmessages: + msg64490
2021-02-12 10:21:39roundup-botsetmessages: + msg64489
status: testing -> resolved
2021-02-09 18:34:48pokolisetmessages: + msg64426
2021-02-08 10:27:43cedsetkeyword: + review
messages: + msg64361
reviews: 333851027
status: in-progress -> testing
2021-02-08 10:20:48cedcreate