From 92d28f6940cb7c69f63c07a9645a1b897b0fe9a0 Mon Sep 17 00:00:00 2001 From: Sawyer X Date: Sun, 8 Sep 2019 21:27:46 +0200 Subject: [PATCH] Resolve relative paths in send_file: If someone were to send a file to send_file() that includes '../', then we would allow them to reach outside the directory we choose. This is a possible security issue. (One can argue the user should sanitize their input, but I think we simply shouldn't allow it.) The problem is that Path::Tiny does the right thing and allows us to reach there. To prevent that, we're resolving paths using Path::Tiny's realpath() method and then subsumes() to see that the file is within the original directory. Otherwise, we send a 403 forbidden. There is also a test that verifies this is done correctly. --- lib/Dancer2/Core/App.pm | 8 +++++++- t/dsl/send_file.t | 15 +++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/lib/Dancer2/Core/App.pm b/lib/Dancer2/Core/App.pm index 4c94160b3..f90601275 100644 --- a/lib/Dancer2/Core/App.pm +++ b/lib/Dancer2/Core/App.pm @@ -1044,8 +1044,14 @@ sub send_file { $self->with_return->( $self->response ); }; - $file_path = Path::Tiny::path( $dir, $path ); + # resolve relative paths (with '../') as much as possible + $file_path = Path::Tiny::path( $dir, $path )->realpath; + # We need to check whether they are trying to access + # a directory outside their scope + $err_response->(403) if !Path::Tiny::path($dir)->realpath->subsumes($file_path); + + # other error checks $err_response->(403) if !$file_path->exists; $err_response->(404) if !$file_path->is_file; $err_response->(403) if !-r $file_path; diff --git a/t/dsl/send_file.t b/t/dsl/send_file.t index 0ea2594ba..48cd3cd7d 100644 --- a/t/dsl/send_file.t +++ b/t/dsl/send_file.t @@ -23,6 +23,10 @@ use Ref::Util qw; send_file 'index.html'; }; + get '/illegal' => sub { + send_file '../index.html'; + }; + prefix '/some' => sub { get '/image' => sub { send_file '1x1.png'; @@ -144,6 +148,17 @@ test_psgi $app, sub { ok($r->is_success, 'send_file returns success'); is($r->header('Content-Disposition'), 'inline; filename="1x1.png"', 'send_file returns correct inline Content-Disposition'); }; + + subtest "Illegal path" => sub { + my $r = $cb->( GET '/illegal' ); + is( $r->code, 403, 'Illegal path returns 403' ); + is( + $r->content, + 'Forbidden', + 'Text content contains UTF-8 characters', + ); + }; + }; done_testing;