There is a path traversal vulnerability in Ring that affects applications that serve resources from the filesystem. It does not affect Ring sites deployed as uberjars.
Versions affected: Every version prior to 1.5.1; 1.6.0-beta1 to 1.6.0-beta6 Fixed versions: 1.5.1, 1.6.0-beta7 Link: https://github.com/ring-clojure/ring *Overview* This vulnerability is caused by a bug in the ring.util.response/resource-response function. An attacker can use this vulnerability to access files that are in a directory on the classpath, but they cannot access resources contained in a jar. This also affects the ring.middleware.resource/wrap-resource middleware, and the compojure.route/resources function. *Example* Consider a minimal Compojure application: (ns example.core (:require [compojure.core :refer :all] [compojure.route :as route])) (defroutes app (GET "/" [] "Hello World") (route/resources "/") (route/not-found "Not Found")) Assume that this isn't packaged as an jar when deployed, but is deployed as a directory of source files. An attacker can craft a URL to read any file on the classpath that is not in a jar: curl -vvv --path-as-is 'http://localhost:3000//../example/core.clj' *Cause* Unlike the file-response function, the resource-response function did not properly santize the path from the client. *Fix* The resource-response function now checks for path segments containing "..", and also ensures that for file-based resources, the canonical filepath of the resource must be contained within the canonical filepath of the :root option. This fix means that Ring will not follow symlinks on the classpath if they lead to files or directories outside the path specified in the :root option. If you happen to need this for any reason, then you need to set the :allow-symlinks? option to true. *Recommendation* Upgrade to 1.5.1 as soon as possible. *Credit* Thanks go Tim McCormack for discovering this vulnerability, and his responsible disclosure of it. Thanks also go to Dmitri Sotnikov for reviewing the fix. -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
