berkus
/
actix-web
mirror of https://github.com/fafhrd91/actix-web
1
0
Fork 0
Code Issues Releases Wiki Activity

reject %2F in url paths

This commit is contained in:
Ali MJ Al-Nasrawy 2022-01-04 15:09:31 +03:00
parent 5393c3aebb
commit 6dacc34286
5 changed files with 24 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
actix-files/CHANGES.md
View File

@ -1,7 +1,7 @@
# Changes # Changes
## Unreleased - 2021-xx-xx ## Unreleased - 2021-xx-xx
- `Files`: `%2F` in request URL path is now decoded to `/` and thus functions as a path separator. [#2398] - `Files`: request URL paths with `%2F` are now rejected. [#2398]
- `Files`: Fixed a regression where `%25` in the URL path is not decoded to `%` in the file path. [#2398] - `Files`: Fixed a regression where `%25` in the URL path is not decoded to `%` in the file path. [#2398]
- Minimum supported Rust version (MSRV) is now 1.54. - Minimum supported Rust version (MSRV) is now 1.54.

4
actix-files/src/error.rs
View File

@ -23,16 +23,20 @@ impl ResponseError for FilesError {
#[allow(clippy::enum_variant_names)] #[allow(clippy::enum_variant_names)]
#[derive(Display, Debug, PartialEq)] #[derive(Display, Debug, PartialEq)]
#[non_exhaustive]
pub enum UriSegmentError { pub enum UriSegmentError {
/// The segment started with the wrapped invalid character. /// The segment started with the wrapped invalid character.
#[display(fmt = "The segment started with the wrapped invalid character")] #[display(fmt = "The segment started with the wrapped invalid character")]
BadStart(char), BadStart(char),
/// The segment contained the wrapped invalid character. /// The segment contained the wrapped invalid character.
#[display(fmt = "The segment contained the wrapped invalid character")] #[display(fmt = "The segment contained the wrapped invalid character")]
BadChar(char), BadChar(char),
/// The segment ended with the wrapped invalid character. /// The segment ended with the wrapped invalid character.
#[display(fmt = "The segment ended with the wrapped invalid character")] #[display(fmt = "The segment ended with the wrapped invalid character")]
BadEnd(char), BadEnd(char),
/// The path is not a valid UTF-8 string after doing percent decoding. /// The path is not a valid UTF-8 string after doing percent decoding.
#[display(fmt = "The path is not a valif UTF-8 string after percent-decoding")] #[display(fmt = "The path is not a valif UTF-8 string after percent-decoding")]
NotValidUtf8, NotValidUtf8,

10
actix-files/src/files.rs
View File

@ -28,16 +28,6 @@ use crate::{
/// ///
/// `Files` service must be registered with `App::service()` method. /// `Files` service must be registered with `App::service()` method.
/// ///
/// # Percent-Encoding and Security Considerations
///
/// When converting the request URL path into the target [file path](std::path::Path),
/// `Files` service *does* decode *all* percent-encoded characters in the path string.
/// One implication is that the resulting file path may have more components than the URL path
/// as a result of decoding `%2F` into `/`.
///
/// Any middleware that is responsible for validating the paths managed under `Files`
/// should be aware of this behavior.
///
/// # Examples /// # Examples
/// ``` /// ```
/// use actix_web::App; /// use actix_web::App;

6
actix-files/src/lib.rs
View File

@ -805,11 +805,9 @@ mod tests {
assert_eq!(res.status(), StatusCode::OK); assert_eq!(res.status(), StatusCode::OK);
// `%2F` == `/` // `%2F` == `/`
let req = TestRequest::get() let req = TestRequest::get().uri("/test%2Ftest.binary").to_request();
.uri("/test/%2F..%2F..%2Ftests%2Ftest.binary")
.to_request();
let res = test::call_service(&srv, req).await; let res = test::call_service(&srv, req).await;
assert_eq!(res.status(), StatusCode::OK); assert_eq!(res.status(), StatusCode::NOT_FOUND);
let req = TestRequest::get().uri("/test/Cargo.toml%00").to_request(); let req = TestRequest::get().uri("/test/Cargo.toml%00").to_request();
let res = test::call_service(&srv, req).await; let res = test::call_service(&srv, req).await;

18
actix-files/src/path_buf.rs
View File

@ -1,5 +1,5 @@
use std::{ use std::{
path::{Path, PathBuf}, path::{Component, Path, PathBuf},
str::FromStr, str::FromStr,
}; };
@ -26,12 +26,21 @@ impl PathBufWrap {
pub fn parse_path(path: &str, hidden_files: bool) -> Result<Self, UriSegmentError> { pub fn parse_path(path: &str, hidden_files: bool) -> Result<Self, UriSegmentError> {
let mut buf = PathBuf::new(); let mut buf = PathBuf::new();
// equivalent to `path.split('/').count()`
let mut segment_count = path.matches('/').count() + 1;
let path = percent_encoding::percent_decode_str(path) let path = percent_encoding::percent_decode_str(path)
.decode_utf8() .decode_utf8()
.map_err(|_| UriSegmentError::NotValidUtf8)?; .map_err(|_| UriSegmentError::NotValidUtf8)?;
// disallow decoding `%2F` into `/`
if segment_count != path.matches('/').count() + 1 {
return Err(UriSegmentError::BadChar('/'));
}
for segment in path.split('/') { for segment in path.split('/') {
if segment == ".." { if segment == ".." {
segment_count -= 1;
buf.pop(); buf.pop();
} else if !hidden_files && segment.starts_with('.') { } else if !hidden_files && segment.starts_with('.') {
return Err(UriSegmentError::BadStart('.')); return Err(UriSegmentError::BadStart('.'));
@ -44,6 +53,7 @@ impl PathBufWrap {
} else if segment.ends_with('<') { } else if segment.ends_with('<') {
return Err(UriSegmentError::BadEnd('<')); return Err(UriSegmentError::BadEnd('<'));
} else if segment.is_empty() { } else if segment.is_empty() {
segment_count -= 1;
continue; continue;
} else if cfg!(windows) && segment.contains('\\') { } else if cfg!(windows) && segment.contains('\\') {
return Err(UriSegmentError::BadChar('\\')); return Err(UriSegmentError::BadChar('\\'));
@ -52,6 +62,12 @@ impl PathBufWrap {
} }
} }
// make sure we agree with stdlib parser
for (i, component) in buf.components().enumerate() {
assert!(matches!(component, Component::Normal(_)));
assert!(i < segment_count);
}
Ok(PathBufWrap(buf)) Ok(PathBufWrap(buf))
} }
} }