-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Path Traversal Attacks on Windows #1691
Comments
Can you make a pull request including a test that fails before and passes after your change? |
#1698 - created pull request. How do you think about changing the function (normalizePath) more? Please check the changes |
@egovorukhin @erikdubbelboer This was supposed to be reported using the process here: https://github.com/valyala/fasthttp/security This could qualify for a CVE, and it was reported improperly. |
I think we should just disable FS on windows. It's not safe, it's not properly tested and nobody should be using it in production. |
Let's replace backslash with slash when used in windows, then a check for "path traversal" will occur. What do you think about this? file - uri.go if filepath.Separator == '\\' {
dst = replaceSlashes(dst)
} https://github.com/egovorukhin/fasthttp/blob/4d48887eb813b0f1caac0217751888897f601d50/uri.go#L579 file - uri_windows.go func replaceSlashes(dst []byte) []byte {
for i := range dst {
if dst[i] == '\\' {
dst[i] = '/'
}
}
return dst
} |
I don't think that will fix it. How about we just reject all requests with |
Ok, let's do this. Do you have a solution? |
Hello, I found another bug security on windows.
example -
curl http://localhost:8081/api/\../\../\../\../\../\../\../\../windows/win.ini -k
SOLUTION
file strings.go
file uri.go
The text was updated successfully, but these errors were encountered: