packages/thrift
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
thrift/CVE-2018-11798.patch
wang_yue111 fc36fc9927 Fix CVE-2018-11798 and CVE-2018-1320
2020-11-05 17:33:26 +08:00

64 lines
2.0 KiB
Diff
Raw Blame History

From 54356a41474cccb0e2e2a7fc4b646812acadb7ec Mon Sep 17 00:00:00 2001
From: jfarrell <jfarrell@apache.org>
Date: Thu, 4 Oct 2018 23:00:28 -0400
Subject: [PATCH] Thrift-4647: Node.js Filesever webroot fixed path
Updates the node.js fileserver to have a fixed based webroot which can
not be escaped by end users.
---
lib/js/test/server_http.js | 2 +-
lib/js/test/server_https.js | 2 +-
lib/nodejs/lib/thrift/web_server.js | 10 +++++++++-
3 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/lib/js/test/server_http.js b/lib/js/test/server_http.js
index e195e80..c516409 100644
--- a/lib/js/test/server_http.js
+++ b/lib/js/test/server_http.js
@@ -36,7 +36,7 @@ var ThriftTestSvcOpt = {
};
var ThriftWebServerOptions = {
- files: ".",
+ files: __dirname,
services: {
"/service": ThriftTestSvcOpt
}
diff --git a/lib/js/test/server_https.js b/lib/js/test/server_https.js
index af1745b..9499b09 100644
--- a/lib/js/test/server_https.js
+++ b/lib/js/test/server_https.js
@@ -40,7 +40,7 @@ var ThriftTestSvcOpt = {
};
var ThriftWebServerOptions = {
- files: ".",
+ files: __dirname,
tls: {
key: fs.readFileSync("../../../test/keys/server.key"),
cert: fs.readFileSync("../../../test/keys/server.crt")
diff --git a/lib/nodejs/lib/thrift/web_server.js b/lib/nodejs/lib/thrift/web_server.js
index 37159ea..47e8a9f 100644
--- a/lib/nodejs/lib/thrift/web_server.js
+++ b/lib/nodejs/lib/thrift/web_server.js
@@ -414,7 +414,15 @@ exports.createWebServer = function(options) {
//Locate the file requested and send it
var uri = url.parse(request.url).pathname;
- var filename = path.join(baseDir, uri);
+ var filename = path.resolve(path.join(baseDir, uri));
+
+ //Ensure the basedir path is not able to be escaped
+ if (filename.indexOf(baseDir) != 0) {
+ response.writeHead(400, "Invalid request path", {});
+ response.end();
+ return;
+ }
+
fs.exists(filename, function(exists) {
if(!exists) {
response.writeHead(404);
--
2.23.0
Reference in New Issue View Git Blame Copy Permalink