Subject: [ANN] Ring 1.5.1 released to fix path traversal
vulnerability



There is a path traversal vulnerability in Ring that affects applications that serve resources from the filesystem. It does not affect Ring sites deployed as uberjars.
Versions affected: Every version prior to 1.5.1; 1.6.0-beta1 to 1.6.0-beta6
Fixed versions: 1.5.1, 1.6.0-beta7
Link: https://github.com/ring-clojure/ring
Overview
This vulnerability is caused by a bug in the ring.util.response/resource-response function. An attacker can use this vulnerability to access files that are in a directory on the classpath, but they cannot access resources contained in a jar.
This also affects the ring.middleware.resource/wrap-resource middleware, and the compojure.route/resources function.
Example

Consider a minimal Compojure application:
(ns example.core  (:require [compojure.core :refer :all]            [compojure.route :as route]))
(defroutes app  (GET "/" [] "Hello World")  (route/resources "/")  (route/not-found "Not Found"))
Assume that this isn't packaged as an jar when deployed, but is deployed as a directory of source files. An attacker can craft a URL to read any file on the classpath that is not in a jar:
curl -vvv --path-as-is 'http://localhost:3000//../example/core.clj'
Cause

Unlike the file-response function, the resource-response function did not properly santize the path from the client.
Fix

The resource-response function now checks for path segments containing "..", and also ensures that for file-based resources, the canonical filepath of the resource must be contained within the canonical filepath of the :root option.
This fix means that Ring will not follow symlinks on the classpath if they lead to files or directories outside the path specified in the :root option. If you happen to need this for any reason, then you need to set the :allow-symlinks? option to true.
Recommendation
Upgrade to 1.5.1 as soon as possible.
Credit
Thanks go Tim McCormack for discovering this vulnerability, and his responsible disclosure of it. Thanks also go to Dmitri Sotnikov for reviewing the fix.

--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to [email protected]
Note that posts from new members are moderated - please be patient with your first post.
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
---
You received this message because you are subscribed to the Google Groups "Clojure" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/d/optout.


Programming list archiving by: Enterprise Git Hosting