Ensure that relative or absolute paths are not passed to the configuration

Open jcoyne opened this issue 9 years ago • 2 comments

Otherwise a carefully crafted requests could pull any file on the server.

Apr 14 '16 03:04 jcoyne

Can you give an example of such a request? It is more than just ../../../etc/passwd, right?

Sep 28 '16 18:09 atz

That's basically what I was getting at. There should not be a way to pass an absolute or relative path that escapes the configured base.

Sep 28 '16 23:09 jcoyne