From 0443e40c11280ba3b7efcba61522afa70c4f8158 Mon Sep 17 00:00:00 2001 From: Ernesto Puerta Date: Wed, 15 Jan 2020 13:54:26 +0100 Subject: [PATCH] mgr/dashboard: fix improper URL checking This change disables up-level references beyond the HTTP base directory. [CVE-2020-1699] Fixes: https://tracker.ceph.com/issues/43607 Signed-off-by: Ernesto Puerta --- src/pybind/mgr/dashboard/controllers/home.py | 5 +++++ src/pybind/mgr/dashboard/tests/test_home.py | 7 +++++++ 2 files changed, 12 insertions(+) diff --git a/src/pybind/mgr/dashboard/controllers/home.py b/src/pybind/mgr/dashboard/controllers/home.py index 517245ee88d..90f976329c5 100644 --- a/src/pybind/mgr/dashboard/controllers/home.py +++ b/src/pybind/mgr/dashboard/controllers/home.py @@ -115,6 +115,11 @@ class HomeController(BaseController, LanguageMixin): base_dir = self._language_dir(langs) full_path = os.path.join(base_dir, path) + + # Block uplevel attacks + if not os.path.normpath(full_path).startswith(os.path.normpath(base_dir)): + raise cherrypy.HTTPError(403) # Forbidden + logger.debug("serving static content: %s", full_path) if 'Vary' in cherrypy.response.headers: cherrypy.response.headers['Vary'] = "{}, Accept-Language" diff --git a/src/pybind/mgr/dashboard/tests/test_home.py b/src/pybind/mgr/dashboard/tests/test_home.py index 1ed22c9c0fc..2ec1b2ad764 100644 --- a/src/pybind/mgr/dashboard/tests/test_home.py +++ b/src/pybind/mgr/dashboard/tests/test_home.py @@ -42,6 +42,13 @@ class HomeTest(ControllerTestCase, FakeFsMixin): logger.info(self.body) self.assertIn('', self.body.decode('utf-8')) + @mock.patch(FakeFsMixin.builtins_open, new=FakeFsMixin.f_open) + @mock.patch('os.stat', new=FakeFsMixin.f_os.stat) + @mock.patch('os.listdir', new=FakeFsMixin.f_os.listdir) + def test_home_uplevel_check(self): + self._get('/../../../../../../etc/shadow') + self.assertStatus(403) + @mock.patch(FakeFsMixin.builtins_open, new=FakeFsMixin.f_open) @mock.patch('os.stat', new=FakeFsMixin.f_os.stat) @mock.patch('os.listdir', new=FakeFsMixin.f_os.listdir) -- 2.39.5