warp icon indicating copy to clipboard operation
warp copied to clipboard

Published 20 hours ago verified publisher icon seanmonstar

User can access arbitrary files with static file hosting on Windows

Open adumbidiot opened this issue 3 years ago • 3 comments

Version 0.3.2

Platform Windows 10 64 bit

Description I'm creating this issue from https://github.com/tower-rs/tower-http/pull/204, where more details can be found. Essentially, if a user inputs a drive letter into the file path, it replaces the entire path. This allows a user to view anything in the current directory of the program, and everything in other attached disks, provided the program can access those files.

I tried this code, which I copied and edited from the attached PR: Cargo.toml

[package]
name = "warp-tower-204"
version = "0.1.0"
edition = "2018"

# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

[dependencies]
tokio = { version = "1.15.0", features = ["full"] }
tracing-subscriber = { version = "0.2.7", features = [ "fmt" ] }
warp = "0.3.2"

main.rs

use tracing_subscriber::fmt::format::FmtSpan;

#[tokio::main]
async fn main() {
    tracing_subscriber::fmt().with_env_filter("tracing=info,warp=debug").with_span_events(FmtSpan::CLOSE).init();
    warp::serve(warp::fs::dir("d:/js/OnlyOne/Dist/"))
        .run(([127, 0, 0, 1], 3030))
        .await;
}

I ran this program on drive D. Then I opened the url in chrome: http://127.0.0.1:3030/static/asdf/c:/windows/win.ini

I expected to see this happen: I expected the request to fail with a 404.

Instead, this happened: The server responded with:

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[ResponseResult]
ResultCode=0

adumbidiot avatar Jan 15 '22 03:01 adumbidiot

Thank you for the report! Windows is a joy... So, can we add : as an illegal character when cfg(windows)?

seanmonstar avatar Jan 18 '22 20:01 seanmonstar

I think that works. You just cant pass an absolute path or a path with a prefix to push. Looking at Prefix, I don't think its possible to push a path with a prefix in the validate function without a : as I think all other variants have characters that cannot be present at that point. I'm not sure how prefixes affect other platforms.

Edit: Actually, I think its possible to create files with : in them on Windows. However, its not easy; I accidentally created a file called :.txt under WSL, but maybe its easier with UNC paths. NTFS also seems to allow : in file names, but only under the POSIX namespace. Not sure if that's something worth supporting. The alternative to denying : would be something like tower's fix, just ensuring each path component is not understood as a prefix.

adumbidiot avatar Jan 20 '22 23:01 adumbidiot

FYI I've filed a rustsec about this for tower-http https://github.com/rustsec/advisory-db/pull/1159. The vulnerable code in tower-http was based on code from warp. Might wanna do the same for warp 👀

davidpdrsn avatar Jan 21 '22 13:01 davidpdrsn