path traversal #931
Comments
|
Can reproduce this when running with either uwsgi or the |
ato
added a commit
to nla/pywb
that referenced
this issue
Apr 15, 2025
Prevents the path traversal attack reported in webrecorder#931
8 tasks
ato
added a commit
to nla/pywb
that referenced
this issue
Apr 15, 2025
Prevents the path traversal attack reported in webrecorder#931
ikreymer
pushed a commit
that referenced
this issue
Apr 16, 2025
Prevents the path traversal attack reported in #931
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
It seems path traversal allows people to steal my passwd file
curl -k https://example.com:8443//static/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
Describe the solution you'd like
Look it could be me, something overlooked. If not can we block path traversals for a start.
Describe alternatives you've considered
Copilot suggested a wrapper to uwsgi which I have done and worked.
In my config.yaml
#wsgi = pywb.apps.wayback
wsgi = wayback_wrapper:app
Additional context
#!/usr/local/pywb/venv/bin/python3
from pywb.apps.wayback import application
def block_malicious_requests(env, start_response):
path = env.get('PATH_INFO', '')
print(f"Processing path: {path}") # Debug statement
if '..' in path or '%2e%2e' in path or '/static/' in path and 'passwd' in path:
print("Blocked path traversal attempt") # Debug statement
start_response('451 Unavailable', [('Content-Type', 'text/plain')])
return [b'Access Denied']
return application(env, start_response)
app = block_malicious_requests
I have one installation. I am no expert or that experienced with it. What do you think?
It gets found by security scanners.
The text was updated successfully, but these errors were encountered: