#36257: Path Traversal Uncontrolled data used in path expression
-----------------------------------------+--------------------------
Reporter: odaysec | Owner: odaysec
Type: Uncategorized | Status: assigned
Component: Packaging | Version: 5.1
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+--------------------------
https://github.com/django/django/blob/ef6a83789b310a441237a190a493c9586a4cb260/django/views/static.py#L60-L60
Accessing files using paths constructed from user-controlled data can
allow an attacker to access unexpected resources. This can result in
sensitive information being revealed or deleted, or an attacker being able
to influence behavior by modifying unexpected files.
**## POC**
In the first vulnerable, a file name is read from an HTTP request and then
used to access a file. However, a malicious user could enter a file name
that is an absolute path, such as `"/etc/passwd"`.
In the second example, it appears that the user is restricted to opening a
file within the `"user"` home directory. However, a malicious user could
enter a file name containing special characters. the string
`"../../../etc/passwd"` will result in the code reading the file located
at `"/server/static/images/../../../etc/passwd"`, which is the system's
password file. This file would then be sent back to the user, giving them
access to all the system's passwords. Note that a user could also use an
absolute path here, since the result of
`os.path.join("/server/static/images/", "/etc/passwd")` is
`"/etc/passwd"`.
the path used to access the file system is normalized before being checked
against a known prefix. This ensures that regardless of the user input,
the resulting path is safe.
```js
{{{
import os.path
from flask import Flask, request, abort
app = Flask(__name__)
@app.route("/user_picture1")
def user_picture1():
filename = request.args.get('p')
# BAD: This could read any file on the file system
data = open(filename, 'rb').read()
return data
@app.route("/user_picture2")
def user_picture2():
base_path = '/server/static/images'
filename = request.args.get('p')
# BAD: This could still read any file on the file system
data = open(os.path.join(base_path, filename), 'rb').read()
return data
@app.route("/user_picture3")
def user_picture3():
base_path = '/server/static/images'
filename = request.args.get('p')
#GOOD -- Verify with normalised version of path
fullpath = os.path.normpath(os.path.join(base_path, filename))
if not fullpath.startswith(base_path):
raise Exception("not allowed")
data = open(fullpath, 'rb').read()
return data
}}}
```
**## References**
- https://owasp.org/www-community/attacks/Path_Traversal
- http://werkzeug.pocoo.org/docs/utils/#werkzeug.utils.secure_filename
- CWE-22
- CWE-23
- CWE-36
- CWE-73
- CWE-99
--
Ticket URL: <https://code.djangoproject.com/ticket/36257>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019597054aae-f66199c2-1e53-474c-9b38-05d23a4f156c-000000%40eu-central-1.amazonses.com.
