File tree Expand file tree Collapse file tree 1 file changed +28
-0
lines changed Expand file tree Collapse file tree 1 file changed +28
-0
lines changed Original file line number Diff line number Diff line change 1+ ``` toml
2+ [advisory ]
3+ id = " RUSTSEC-0000-0000"
4+ package = " tower-http"
5+ date = " 2022-01-21"
6+ url = " https://github.com/tower-rs/tower-http/pull/204"
7+ categories = [" file-disclosure"
8+ keywords = [" directory traversal" " http"
9+
10+ [affected ]
11+ os = [" windows"
12+
13+ [versions ]
14+ patched = [" >= 0.2.1" " >= 0.1.3, < 0.2.0"
15+ ```
16+
17+ # Improper validation of Windows paths could lead to directory traversal attack
18+
19+ ` tower_http::services::fs::ServeDir ` didn't correctly validate Windows paths
20+ meaning paths like ` /foo/bar/c:/windows/web/screen/img101.png ` would be allowed
21+ and respond with the contents of ` c:/windows/web/screen/img101.png ` . Thus users
22+ could potentially read files anywhere on the filesystem.
23+
24+ This only impacts Windows. Linux and other unix likes are not impacted by this.
25+
26+ See [ tower-http #204 ] for more details.
27+
28+ [ tower-http#204 ] : https://github.com/tower-rs/tower-http/pull/204
You can’t perform that action at this time.
0 commit comments