Opened 7 years ago

Last modified 5 years ago

#6527 defect new

FilePath.preauthChild fails to validate that the argument effectively is a child

Reported by: Jonathan Stoppani Owned by:
Priority: normal Milestone:
Component: core Keywords: security FilePath
Cc: Branch:
Author:

Description (last modified by Jonathan Stoppani)

>>> from twisted.python.filepath import FilePath
>>> FilePath('/foo').preauthChild('/foobar/bar')
FilePath('/foobar/bar')

More precisely, in http://twistedmatrix.com/trac/browser/tags/releases/twisted-13.0.0/twisted/python/filepath.py#L699 the simple startswith test should be replaced with something more sophisticated.

Change History (4)

comment:1 Changed 7 years ago by Jonathan Stoppani

Description: modified (diff)

comment:2 Changed 5 years ago by Daira Hopwood

Keywords: security FilePath added

Arrggh. Lucky that I saw this before relying on preauthChild for security.

comment:3 Changed 5 years ago by Daira Hopwood

FilePath.childSearchPreauth should also enforce that the returned path is a descendant.

comment:4 Changed 5 years ago by Daira Hopwood

Note that it is a documented precondition of preauthChild that the child path not begin with /.

This precondition should probably be removed: it isn't sufficient for security because

FilePath("/foo").preauthChild("../foobar")

gives the same result as the original example. Also, the documentation of that precondition isn't correct for Windows in any case.

This sentence gets the comment past filtering for some reason.

Note: See TracTickets for help on using tickets.