From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS4713 221.184.0.0/13 X-Spam-Status: No, score=-2.8 required=3.0 tests=AWL,BAYES_00, DKIM_ADSP_CUSTOM_MED,FORGED_GMAIL_RCVD,FREEMAIL_FORGED_FROMDOMAIN, FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,SPF_PASS shortcircuit=no autolearn=no autolearn_force=no version=3.4.2 Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75]) by dcvr.yhbt.net (Postfix) with ESMTP id 0A8C41F45F for ; Wed, 8 May 2019 15:04:12 +0000 (UTC) Received: from neon.ruby-lang.org (localhost [IPv6:::1]) by neon.ruby-lang.org (Postfix) with ESMTP id 76B7A120953; Thu, 9 May 2019 00:04:06 +0900 (JST) Received: from o1678916x28.outbound-mail.sendgrid.net (o1678916x28.outbound-mail.sendgrid.net [167.89.16.28]) by neon.ruby-lang.org (Postfix) with ESMTPS id 51AA712095A for ; Thu, 9 May 2019 00:04:04 +0900 (JST) Received: by filter0056p3las1.sendgrid.net with SMTP id filter0056p3las1-7145-5CD2EFE4-12 2019-05-08 15:04:04.176543822 +0000 UTC m=+60995.851313209 Received: from herokuapp.com (unknown [3.88.90.180]) by ismtpd0022p1iad2.sendgrid.net (SG) with ESMTP id CnWMTScFRcKoeA1I9z5R_Q for ; Wed, 08 May 2019 15:04:04.192 +0000 (UTC) Date: Wed, 08 May 2019 15:04:04 +0000 (UTC) From: shevegen@gmail.com Message-ID: References: Mime-Version: 1.0 X-Redmine-MailingListIntegration-Message-Ids: 68082 X-Redmine-Project: ruby-trunk X-Redmine-Issue-Id: 15835 X-Redmine-Issue-Author: Dhiraj X-Redmine-Sender: shevegen X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-SG-EID: =?us-ascii?Q?6lbdtOg4RDRLuxD00eQtQKgoNAsge5d4xND7cbMQd0xtuMroKkqnvVnPplCnFL?= =?us-ascii?Q?PMJMbzWtgYtVvC1QSOrgKaU+pz=2Fy8=2Fr6g95+M5h?= =?us-ascii?Q?obMJ3+aoSlsWWKRttt0CuFXKi39BSYzPykB45TI?= =?us-ascii?Q?1cp4SpSRALtW0kocs+0drgsplM4ahVR7CT+xGWf?= =?us-ascii?Q?msup0hvlcPtlp0uQXYIr3edj9cyzGa07Orw=3D=3D?= To: ruby-core@ruby-lang.org X-ML-Name: ruby-core X-Mail-Count: 92599 Subject: [ruby-core:92599] [Ruby trunk Bug#15835] Path traversal symlink - WEBrick X-BeenThere: ruby-core@ruby-lang.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Ruby developers List-Id: Ruby developers List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ruby-core-bounces@ruby-lang.org Sender: "ruby-core" Issue #15835 has been updated by shevegen (Robert A. Heiler). While I agree with naruse, it may be worthwhile to mention this briefly at e. g. https://ruby-doc.org/stdlib/libdoc/webrick/rdoc/WEBrick.html - it could still surprise users so it could be useful to mention it; perhaps at the section "WEBrick can be run as a production server for small loads.". As writing documentation is always a bit tedious, I will try my luck with a slight modification to it here, from: "WEBrick can be run as a production server for small loads. Be aware that symlinks might allow users to view data outside of the designated root directory, such as for the Apache webserver with the FollowSymlinks option enabled". Not sure if this is great but I just wanted to provide a bit of text - perhaps it can help others adapt it and write an improved documentation; it's just a suggestion. ---------------------------------------- Bug #15835: Path traversal symlink - WEBrick https://bugs.ruby-lang.org/issues/15835#change-77959 * Author: Dhiraj (Dhiraj Mishra) * Status: Feedback * Priority: Normal * Assignee: * Target version: * ruby -v: 2.6.3 * Backport: 2.4: UNKNOWN, 2.5: UNKNOWN, 2.6: UNKNOWN ---------------------------------------- **Summary:** A path traversal issue was observed in WEBrick ( WEBrick/1.4.2 (Ruby/2.6.3/2019-04-16)) via symlink. WEBrick serves static page for the current directory once enabled, however using symlink attacker could view data outside the hosted/running directory. **Steps to reproduce:** > mkdir nothing > cd nothing > ln -s ../../ symlnk > ruby -run -ehttpd . -p8080 **Impact:** This would allow the attacker to view sensitive data outside the root/running directory. **Recommendation:** We can probably educate users about this behavior in the WebBrick documentation and providing a flag/parameter to disable/enable following symlinks. -- https://bugs.ruby-lang.org/