From: Ernesto Puerta Date: Wed, 15 Jan 2020 12:54:26 +0000 (+0100) Subject: mgr/dashboard: fix improper URL checking X-Git-Tag: v14.2.7~2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=8392c2cb89a8419411843eaa6bc850ee9d7ef9be;p=ceph.git mgr/dashboard: fix improper URL checking This change disables up-level references beyond the HTTP base directory. [CVE-2020-1699] Fixes: https://tracker.ceph.com/issues/43607 Signed-off-by: Ernesto Puerta (cherry picked from commit 0443e40c11280ba3b7efcba61522afa70c4f8158) Conflicts: - src/pybind/mgr/dashboard/tests/test_home.py (refactored tests) --- diff --git a/src/pybind/mgr/dashboard/controllers/home.py b/src/pybind/mgr/dashboard/controllers/home.py index df11340934c..82ad945d0b0 100644 --- a/src/pybind/mgr/dashboard/controllers/home.py +++ b/src/pybind/mgr/dashboard/controllers/home.py @@ -100,6 +100,11 @@ class HomeController(BaseController): base_dir = self._language_dir(langs) full_path = os.path.join(base_dir, path) + + # Block uplevel attacks + if not os.path.normpath(full_path).startswith(os.path.normpath(base_dir)): + raise cherrypy.HTTPError(403) # Forbidden + logger.debug("serving static content: %s", full_path) if 'Vary' in cherrypy.response.headers: cherrypy.response.headers['Vary'] = "{}, Accept-Language" diff --git a/src/pybind/mgr/dashboard/tests/test_home.py b/src/pybind/mgr/dashboard/tests/test_home.py index 341762572aa..a8054ea0469 100644 --- a/src/pybind/mgr/dashboard/tests/test_home.py +++ b/src/pybind/mgr/dashboard/tests/test_home.py @@ -20,6 +20,10 @@ class HomeTest(ControllerTestCase): logger.info(self.body) self.assertIn('', self.body.decode('utf-8')) + def test_home_uplevel_check(self): + self._get('/../../../../../../etc/shadow') + self.assertStatus(403) + def test_home_en_us(self): self._get('/', headers=[('Accept-Language', 'en-US')]) self.assertStatus(200)