Open
Description
Hi,
I've noticed that the function 'def giveOutStaticFile' does not properly sanitize the 'uri' variable:
filename = params[:uri]+ext
filepath = "../../../../vendor/#{Mathjax::Rails::DIRNAME}/#{filename}"
extname = File.extname(filename)[1..-1]
mime_type = Mime::Type.lookup_by_extension(extname)
options = Hash.new
options[:type] = mime_type.to_s unless mime_type.nil?
options[:disposition] = 'inline'
file = File.expand_path(filepath, __FILE__)
So it is possible to inject URLs like:
/mathjax/%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../etc/passwd
or on heroku apps:
/mathjax/%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../apps/Gemfile
Suggested fix (please check the PR: #25)
return render status: 404 if Pathname.new(filename).cleanpath.to_s != filename
Please consider that params[:uri] and params[:ext] could be subject to path traversal since both are included in the 'filename' variable.
If there is anything I can help you with, please feel free to ask.
Best regards,
Oliver Kuster
Metadata
Metadata
Assignees
Labels
No labels