Windows: User can escape from root directory #167
Comments
|
This must be a bug on windows. I’ll have to investigate. There is a specific test to ensure users cannot escape the root directory: https://github.com/trs/ftp-srv/blob/master/test/fs.spec.js#L65 The |
trs
added
bug
|
Notice the backslash in the CWD command. I can't explain it, but.. Linux: Windows: |
|
Trying this on windows I can't recreate it using Filezilla, Firefox, or Edge. What client are you using? But in the next PR I have removed the added separator when joining paths, this should solve your issue. |
|
Firefox. Demo |
|
Thanks for the demo video. The attached PR (#168) should address this issue. I'll work on getting it released soon. |
|
You can see how #168 works in this video :) |
|
@yetanothernickname You used #168 for that video? |
|
@trs Yes, with new fsPath() |
|
I'd like to see if we can confirm this is still the case with the changes we made because it shouldn't be. |
|
@forstermatth I was able to reproduce it on 4cd88b1 |
|
@n-timofeev Thanks, I will take a look this week. |
This should prevent paths from being resolved above the root. Should affect all commands that utilize the FS functions. Fixes #167
This should prevent paths from being resolved above the root. Should affect all commands that utilize the FS functions. Fixes #167
This comment has been minimized.
This comment has been minimized.
* fix(fs): check resolved path against root This should prevent paths from being resolved above the root. Should affect all commands that utilize the FS functions. Fixes #167 * test: use __dirname for relative certs * fix: improve path resolution * chore: remove unused package * fix: normalize resolve path if absolute Otherwise join will normalize Co-authored-by: Tyler Stewart <[email protected]>
|
🎉 This issue has been resolved in version 4.4.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
|
I see you step through the new resolve in the second one, enough proof for me, apologies. |
In an attempt to reproduce the test case presented in #167
matt-forster
changed the title
matt-forster
changed the title
|
I've got PR #232 setup to test windows in our CI environment - I've also added a test that uses the path as is in your demo videos. There are a lot of tests failing in that branch right now, mostly due to tests expecting Unix output. This should get us on the right track to fixing this without a doubt. |
|
Source of backslash And i think, we need to block paths with sequential dots and slashes here as a temporary solution |
This comment has been minimized.
This comment has been minimized.
|
@heartz66 making symlinks in you ftp folder is you own choice and cannot be done on the client side |
Windows, default File System, root directory set in login event callback. User can browse parent directory using /../../ in URL.
Example:
root: 'X:\\Project\\Storage\\User'URL
ftp://127.0.0.1/../../becomes a commandCWD \/../../At line 30 in fs.js we have
nodePath.resolve('X:\Project\Storage\User', '.\\\..\..\')So _resolvePath() returns
The text was updated successfully, but these errors were encountered: