From 8392c2cb89a8419411843eaa6bc850ee9d7ef9be Mon Sep 17 00:00:00 2001 From: Ernesto Puerta Date: Wed, 15 Jan 2020 13:54:26 +0100 Subject: [PATCH] mgr/dashboard: fix improper URL checking This change disables up-level references beyond the HTTP base directory. [CVE-2020-1699] Fixes: https://tracker.ceph.com/issues/43607 Signed-off-by: Ernesto Puerta (cherry picked from commit 0443e40c11280ba3b7efcba61522afa70c4f8158) Conflicts: - src/pybind/mgr/dashboard/tests/test_home.py (refactored tests) --- src/pybind/mgr/dashboard/controllers/home.py | 5 +++++ src/pybind/mgr/dashboard/tests/test_home.py | 4 ++++ 2 files changed, 9 insertions(+) diff --git a/src/pybind/mgr/dashboard/controllers/home.py b/src/pybind/mgr/dashboard/controllers/home.py index df11340934c00..82ad945d0b00c 100644 --- a/src/pybind/mgr/dashboard/controllers/home.py +++ b/src/pybind/mgr/dashboard/controllers/home.py @@ -100,6 +100,11 @@ class HomeController(BaseController): base_dir = self._language_dir(langs) full_path = os.path.join(base_dir, path) + + # Block uplevel attacks + if not os.path.normpath(full_path).startswith(os.path.normpath(base_dir)): + raise cherrypy.HTTPError(403) # Forbidden + logger.debug("serving static content: %s", full_path) if 'Vary' in cherrypy.response.headers: cherrypy.response.headers['Vary'] = "{}, Accept-Language" diff --git a/src/pybind/mgr/dashboard/tests/test_home.py b/src/pybind/mgr/dashboard/tests/test_home.py index 341762572aaa0..a8054ea046940 100644 --- a/src/pybind/mgr/dashboard/tests/test_home.py +++ b/src/pybind/mgr/dashboard/tests/test_home.py @@ -20,6 +20,10 @@ class HomeTest(ControllerTestCase): logger.info(self.body) self.assertIn('', self.body.decode('utf-8')) + def test_home_uplevel_check(self): + self._get('/../../../../../../etc/shadow') + self.assertStatus(403) + def test_home_en_us(self): self._get('/', headers=[('Accept-Language', 'en-US')]) self.assertStatus(200) -- 2.39.5