mirror of
https://github.com/YGGverse/agate.git
synced 2026-04-08 20:45:29 +00:00
3c38dae599
When computing the filesystem path to serve, each URL path segment appended to the content directory path must be checked to ensure that it consists only of normal filesystem path components (and not the root directory, .., drive labels, or other special components). Otherwise, the following directory traversal attacks are possible: - When an absolute path is pushed onto a PathBuf, the PathBuf will be overwritten. If we don't check for absolute paths, Agate can be tricked into serving an arbitrary absolute filesystem path via a URL like gemini://example.com/%2Fetc/passwd - The url crate eliminates all .. segments from the URL when parsing, even when these are percent-encoded. However, .. can be injected into the computed filesystem path by using a URL path segment that, when decoded, contains more than one filesystem path component, like gemini://example.com/subdir%2F..%2F../outside_content_dir Furthermore, path separators appearing within a single URL path segment, like escaped / (%2F), should probably not be considered structural [0]. That is, "a%2Fb" refers to a resource literally named "a/b", not "b" in subdirectory "a". Thus we also check that a URL path segment represents no more than one filesystem path segment. [0] https://www.w3.org/Addressing/URL/4_URI_Recommentations.html |
||
|---|---|---|
| .. | ||
| certificates.rs | ||
| main.rs | ||
| metadata.rs | ||