#563 Possible to bypass allowed_scm blacklist
Closed: Fixed 4 years ago Opened 4 years ago by puiterwijk.


Thanks, looks fine. I'll merge this before 1.14

Metadata Update from @mikem:
- Issue set to the milestone: 1.14

4 years ago

This issue has been assigned CVE-2017-1002153.

The previous patch adjusts some checks, extends the unit tests to cover the sorts of urls we're concerned with, and preserves our code coverage.

It also catches paths starting with //, which normpath for some reason does not.

This patch looks good to me.

Side note: here is the reason normpath allows // at the beginning:

https://unix.stackexchange.com/questions/12283/unix-difference-between-path-starting-with-and

This is not applicable in any of our urls, so our squashing of // to / is correct.

Metadata Update from @mikem:
- Issue private status set to: False (was: True)

4 years ago

Login to comment on this ticket.

Metadata