From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ruby-core-bounces@ruby-lang.org>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net
X-Spam-Level: 
X-Spam-ASN: AS4713 221.184.0.0/13
X-Spam-Status: No, score=-2.8 required=3.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	FORGED_GMAIL_RCVD,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	SPF_PASS shortcircuit=no autolearn=no autolearn_force=no version=3.4.2
Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75])
	by dcvr.yhbt.net (Postfix) with ESMTP id 1C5571F488
	for <normalperson@yhbt.net>; Tue,  7 May 2019 09:33:27 +0000 (UTC)
Received: from neon.ruby-lang.org (localhost [IPv6:::1])
	by neon.ruby-lang.org (Postfix) with ESMTP id 8777C120A74;
	Tue,  7 May 2019 18:33:21 +0900 (JST)
Received: from o1678948x4.outbound-mail.sendgrid.net
 (o1678948x4.outbound-mail.sendgrid.net [167.89.48.4])
 by neon.ruby-lang.org (Postfix) with ESMTPS id D1344120A71
 for <ruby-core@ruby-lang.org>; Tue,  7 May 2019 18:33:18 +0900 (JST)
Received: by filter0029p3iad2.sendgrid.net with SMTP id
 filter0029p3iad2-14067-5CD150DE-C
 2019-05-07 09:33:18.190646149 +0000 UTC m=+43600.308711733
Received: from herokuapp.com (unknown [34.228.113.206])
 by ismtpd0046p1mdw1.sendgrid.net (SG) with ESMTP id FGTQQFFASk2Uo_5qS6h9VQ
 for <ruby-core@ruby-lang.org>; Tue, 07 May 2019 09:33:17.914 +0000 (UTC)
Date: Tue, 07 May 2019 09:33:18 +0000 (UTC)
From: mishra.dhiraj95@gmail.com
Message-ID: <redmine.issue-15835.20190507093317.a9a9bd68c2f4d771@ruby-lang.org>
References: <redmine.issue-15835.20190507093317@ruby-lang.org>
Mime-Version: 1.0
X-Redmine-MailingListIntegration-Message-Ids: 68063
X-Redmine-Project: ruby-trunk
X-Redmine-Issue-Id: 15835
X-Redmine-Issue-Author: Dhiraj
X-Redmine-Sender: Dhiraj
X-Mailer: Redmine
X-Redmine-Host: bugs.ruby-lang.org
X-Redmine-Site: Ruby Issue Tracking System
X-Auto-Response-Suppress: All
Auto-Submitted: auto-generated
X-SG-EID: =?us-ascii?Q?aphO=2F5KqrpE5BKpmjyg8kVQP4nrJ98h568yyNlhgF9wxScDEZs8xhS1dzcuU+M?=
 =?us-ascii?Q?0HtpNgw49qqnAS=2FBA8po4hRvYNA7IUavauTWHaj?=
 =?us-ascii?Q?RqN=2FqK34aSGv943rtboGbAYqjmLr5tJX8=2FwLD5U?=
 =?us-ascii?Q?+g3UXIhTCruNGkg3iGQLJluZUPGA4QaHHananVr?=
 =?us-ascii?Q?OAlFMsbbIxhT+6OiCZdSM3hG8jqPz7e4eAA=3D=3D?=
To: ruby-core@ruby-lang.org
X-ML-Name: ruby-core
X-Mail-Count: 92580
Subject: [ruby-core:92580] [Ruby trunk Bug#15835] Path traversal symlink -
	WEBrick
X-BeenThere: ruby-core@ruby-lang.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Ruby developers <ruby-core@ruby-lang.org>
List-Id: Ruby developers <ruby-core.ruby-lang.org>
List-Unsubscribe: <https://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>, 
 <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
List-Post: <mailto:ruby-core@ruby-lang.org>
List-Help: <mailto:ruby-core-request@ruby-lang.org?subject=help>
List-Subscribe: <https://lists.ruby-lang.org/cgi-bin/mailman/listinfo/ruby-core>, 
 <mailto:ruby-core-request@ruby-lang.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ruby-core-bounces@ruby-lang.org
Sender: "ruby-core" <ruby-core-bounces@ruby-lang.org>

Issue #15835 has been reported by Dhiraj (Dhiraj Mishra).

----------------------------------------
Bug #15835: Path traversal symlink - WEBrick
https://bugs.ruby-lang.org/issues/15835

* Author: Dhiraj (Dhiraj Mishra)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 2.6.3
* Backport: 2.4: UNKNOWN, 2.5: UNKNOWN, 2.6: UNKNOWN
----------------------------------------
**Summary:**
A path traversal issue was observed in WEBrick ( WEBrick/1.4.2 (Ruby/2.6.3/2019-04-16)) via symlink. WEBrick serves static page for the current directory once enabled, however using symlink attacker could view data outside the hosted/running directory.

**Steps to reproduce:**
> mkdir nothing
> cd nothing
> ln -s ../../ symlnk
> ruby -run -ehttpd . -p8080

**Impact:**
This would allow the attacker to view sensitive data outside the root/running directory. 

**Recommendation:**
We can probably educate users about this behavior in the WebBrick documentation and providing a flag/parameter to disable/enable following symlinks.



-- 
https://bugs.ruby-lang.org/