From: shevegen@gmail.com
To: ruby-core@ruby-lang.org
Subject: [ruby-core:92599] [Ruby trunk Bug#15835] Path traversal symlink - WEBrick
Date: Wed, 08 May 2019 15:04:04 +0000 (UTC) [thread overview]
Message-ID: <redmine.journal-77959.20190508150403.928b87a744bdb847@ruby-lang.org> (raw)
In-Reply-To: redmine.issue-15835.20190507093317@ruby-lang.org
Issue #15835 has been updated by shevegen (Robert A. Heiler).
While I agree with naruse, it may be worthwhile to mention this briefly at e. g.
https://ruby-doc.org/stdlib/libdoc/webrick/rdoc/WEBrick.html - it could still surprise
users so it could be useful to mention it; perhaps at the section "WEBrick can be run
as a production server for small loads.".
As writing documentation is always a bit tedious, I will try my luck with a slight
modification to it here, from:
"WEBrick can be run as a production server for small loads. Be aware that symlinks
might allow users to view data outside of the designated root directory, such as
for the Apache webserver with the FollowSymlinks option enabled".
Not sure if this is great but I just wanted to provide a bit of text - perhaps it
can help others adapt it and write an improved documentation; it's just a suggestion.
----------------------------------------
Bug #15835: Path traversal symlink - WEBrick
https://bugs.ruby-lang.org/issues/15835#change-77959
* Author: Dhiraj (Dhiraj Mishra)
* Status: Feedback
* Priority: Normal
* Assignee:
* Target version:
* ruby -v: 2.6.3
* Backport: 2.4: UNKNOWN, 2.5: UNKNOWN, 2.6: UNKNOWN
----------------------------------------
**Summary:**
A path traversal issue was observed in WEBrick ( WEBrick/1.4.2 (Ruby/2.6.3/2019-04-16)) via symlink. WEBrick serves static page for the current directory once enabled, however using symlink attacker could view data outside the hosted/running directory.
**Steps to reproduce:**
> mkdir nothing
> cd nothing
> ln -s ../../ symlnk
> ruby -run -ehttpd . -p8080
**Impact:**
This would allow the attacker to view sensitive data outside the root/running directory.
**Recommendation:**
We can probably educate users about this behavior in the WebBrick documentation and providing a flag/parameter to disable/enable following symlinks.
--
https://bugs.ruby-lang.org/
prev parent reply other threads:[~2019-05-08 15:04 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <redmine.issue-15835.20190507093317@ruby-lang.org>
2019-05-07 9:33 ` [ruby-core:92580] [Ruby trunk Bug#15835] Path traversal symlink - WEBrick mishra.dhiraj95
2019-05-07 12:30 ` [ruby-core:92583] " naruse
2019-05-08 15:04 ` shevegen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.ruby-lang.org/en/community/mailing-lists/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=redmine.journal-77959.20190508150403.928b87a744bdb847@ruby-lang.org \
--to=ruby-core@ruby-lang.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).