From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS4713 221.184.0.0/13 X-Spam-Status: No, score=-4.0 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75]) by dcvr.yhbt.net (Postfix) with ESMTP id 541D71F45F for ; Tue, 7 May 2019 12:30:39 +0000 (UTC) Received: from neon.ruby-lang.org (localhost [IPv6:::1]) by neon.ruby-lang.org (Postfix) with ESMTP id BDC3B120AED; Tue, 7 May 2019 21:30:33 +0900 (JST) Received: from o1678948x4.outbound-mail.sendgrid.net (o1678948x4.outbound-mail.sendgrid.net [167.89.48.4]) by neon.ruby-lang.org (Postfix) with ESMTPS id BBDE8120A53 for ; Tue, 7 May 2019 21:30:30 +0900 (JST) Received: by filter0102p3iad2.sendgrid.net with SMTP id filter0102p3iad2-18653-5CD17A66-40 2019-05-07 12:30:30.443238787 +0000 UTC m=+54053.768597221 Received: from herokuapp.com (ec2-34-228-113-206.compute-1.amazonaws.com [34.228.113.206]) by ismtpd0025p1mdw1.sendgrid.net (SG) with ESMTP id xubusWp2Rlyn5QcvLO4N_w for ; Tue, 07 May 2019 12:30:30.261 +0000 (UTC) Date: Tue, 07 May 2019 12:30:31 +0000 (UTC) From: naruse@airemix.jp To: ruby-core@ruby-lang.org Message-ID: References: Mime-Version: 1.0 X-Redmine-MailingListIntegration-Message-Ids: 68066 X-Redmine-Project: ruby-trunk X-Redmine-Issue-Id: 15835 X-Redmine-Issue-Author: Dhiraj X-Redmine-Sender: naruse X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-SG-EID: ync6xU2WACa70kv/Ymy4QrNMhiuLXJG8OTL2vJD1yS4sCLYGfIeHyJX1noRNnKwxHSVcoj3R+PThoj cvSwcr6PSGO7aJHzhFCtJ7WPOu+bdbmBzvZ3dseCx2z+k792nrSXk0SQX90uy66pQepfTJ8e+5byWF FvgBJtu6e1WKgjYQP3WEFzrvQqaV3FzEo9xJvSaTPohR4xR/lSTKU+wULw== X-ML-Name: ruby-core X-Mail-Count: 92583 Subject: [ruby-core:92583] [Ruby trunk Bug#15835] Path traversal symlink - WEBrick X-BeenThere: ruby-core@ruby-lang.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Ruby developers List-Id: Ruby developers List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ruby-core-bounces@ruby-lang.org Sender: "ruby-core" Issue #15835 has been updated by naruse (Yui NARUSE). Status changed from Open to Feedback On Apache with `FollowSymLinks` enabled, it can traverse out of DocumentRoot. hxxps://httpd.apache.org/docs/2.4/en/urlmapping.html Therefore it's not a problem. ---------------------------------------- Bug #15835: Path traversal symlink - WEBrick https://bugs.ruby-lang.org/issues/15835#change-77945 * Author: Dhiraj (Dhiraj Mishra) * Status: Feedback * Priority: Normal * Assignee: * Target version: * ruby -v: 2.6.3 * Backport: 2.4: UNKNOWN, 2.5: UNKNOWN, 2.6: UNKNOWN ---------------------------------------- **Summary:** A path traversal issue was observed in WEBrick ( WEBrick/1.4.2 (Ruby/2.6.3/2019-04-16)) via symlink. WEBrick serves static page for the current directory once enabled, however using symlink attacker could view data outside the hosted/running directory. **Steps to reproduce:** > mkdir nothing > cd nothing > ln -s ../../ symlnk > ruby -run -ehttpd . -p8080 **Impact:** This would allow the attacker to view sensitive data outside the root/running directory. **Recommendation:** We can probably educate users about this behavior in the WebBrick documentation and providing a flag/parameter to disable/enable following symlinks. -- https://bugs.ruby-lang.org/