Opened 10 years ago

Closed 10 years ago

#2859 defect closed invalid (invalid)

twisted web FilePath uri-encoding bypass (directory traversal)

Reported by: jhart Owned by:
Priority: high Milestone:
Component: web Keywords: uri encode directory traversal
Cc: jhart@…, Jean-Paul Calderone Branch:


I discovered this while casually looking at an application written in TwistedWeb/2.1.0, but have also verified that this likely also exists in version 2.5.0, so chances are that all versions are vulnerable.

The issue is simple. FilePath does not properly check for uri encoded path separators ('/', aka %2F) and, as a result, its checks for directory traversals and the like are not caught and handled by InsecurePath.

The test is simple. Find any simple HTTP server written twistedweb and try getting /..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

Change History (7)

comment:1 Changed 10 years ago by jhart

Cc: jhart@… added

comment:2 Changed 10 years ago by Jean-Paul Calderone

Cc: Jean-Paul Calderone added

Can you be a bit more specific about the vulnerability? runs a Twisted Web based server, for example. If you try this URL:

Then you do not see the passwd file.

comment:3 Changed 10 years ago by jhart

Am I misunderstanding this, or does run web2?

Server: Twisted/2.4.0 TwistedWeb/[twisted.web2, version 0.2.0]

The code I was testing against was TwistedWeb/2.1.0. I've only been able to find two other projects utilizing twisted web -- apt-proxy2 (which has checks that happen to prevent this) and bannerfish (which I cannot get to run). Do you have any other simple HTTP services that use twisted web that are not web2?


comment:4 Changed 10 years ago by Jean-Paul Calderone

exarkun@charm:~$ telnet 80
Connected to
Escape character is '^]'.
GET / HTTP/1.1

HTTP/1.1 302 Found
Date: Wed, 31 Oct 2007 16:42:57 GMT
Content-length: 238
Content-type: text/html
Server: TwistedWeb/2.5.0

        <meta http-equiv="refresh" content="0;URL=">
    <body bgcolor="#FFFFFF" text="#000000">
    <a href="">click here</a>

/trac is reverse-proxied to a twisted.web2 server, the rest is twisted.web-based.

comment:5 Changed 10 years ago by jhart

I may have misdiagnosed this.

The vendor has fixed this in their version of the code -- see

If someone knows of an HTTP application that uses a similarly old version of Twistedweb and can test this, go for it, otherwise we can probably go ahead and close this.


comment:6 Changed 10 years ago by Jean-Paul Calderone

Resolution: invalid
Status: newclosed

Thanks for following up. Since there isn't a demonstrated vulnerability and there is test coverage for correct handling of the case in question, I'm going to close this. If you learn anything else, feel free to re-open it with more information.

comment:7 Changed 7 years ago by <automation>

Owner: jknight deleted
Note: See TracTickets for help on using tickets.