Directory traversal

[cbiedl]

Hello,
thanks for that little program, it serves me well, and I'm considering packaging it for the Debian Linux distribution.
However, there's an issue: It seems ftp-proxy has no safeguard against requesting files from outside the given base directory, in other words, "get ../../../etc/passwd" will happily deliver that file - something that shouldn't happen from a security point of view.

[funzoneq]

Hi @cbiedl. I created a fix for it as you can see above, but I no longer have write access to this repository.

[hillu]

@funzoneq Your patch does not work:

package main

import "fmt"
import "path"
import "path/filepath"

func main() {
	dir := "/var/lib/tftpboot"
	filename := "/../../../../../../../etc/passwd"
	fmt.Println(filepath.Clean(path.Join(dir, filename)))
}

gives me /etc/passwd which is exactly what I would want as an attacker.

What does work is

• ensuring that filename starts with a slash
• cleaning up the filename with path.Clean or filepath.Clean
• joining that with dir

Like so:

path.Join(dir, path.Clean("/"+filename))

[funzoneq]

@hillu thanks for that. I updated the PR. #3

[cbiedl]

@funzoneq that is not sufficient I'm afraid. This one prepends a slash to user-supplied filename and should therefore do the trick:

file_path := path.Join(dir, filepath.Clean(path.Join("/", filename)))