YunoHost/package_linter
1
0
Fork 0
mirror of https://github.com/YunoHost/package_linter.git synced 2024-09-03 20:06:12 +02:00
Code Issues Projects Releases Packages Wiki Activity

Also report path traversal issue if alias path doesn't use __FINALPATH__

Browse source
This commit is contained in:
Alexandre Aubin 2019-03-20 21:59:04 +01:00 committed by Alexandre Aubin
parent 450249197b
commit 8a62054f34
1 changed files with 13 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
package_linter.py
View file

@ -207,7 +207,18 @@ class App():
for block in nginxconf: for block in nginxconf:
for location, alias in find_location_with_alias(block): for location, alias in find_location_with_alias(block):
alias_path = alias[-1] alias_path = alias[-1]
if not location.endswith("/") and alias_path.endswith("/"): # For path traversal issues to occur, both of those are needed :
# - location /foo { (*without* a / after foo)
# - alias /var/www/foo/ (*with* a / after foo)
#
# Note that we also consider a positive the case where
# the alias folder (e.g. /var/www/foo/) does not ends
# with / if __FINALPATH__ ain't used ... that probably
# means that the app is not using the standard nginx
# helper, and therefore it is likely to be replaced by
# something ending with / ...
if not location.endswith("/") \
and (alias_path.endswith("/") or "__FINALPATH__" not in alias_path):
yield location yield location
for location in find_path_traversal_issue(nginxconf): for location in find_path_traversal_issue(nginxconf):