vh/rest-server
1
0
Fork 0
mirror of https://github.com/restic/rest-server.git synced 2025-12-07 01:26:18 -08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Security: Prevent loading of usernames containing a slash

Browse Source 
"/" is valid char in HTTP authorization headers, but is also used in
rest-server to map usernames to private repos.

This commit prevents loading maliciously composed usernames like
"/foo/config" by restricting the allowed characters to the unicode
character class, numbers, "-", "." and "@".

Closes #131
This commit is contained in:
Juergen Hoetzel
2020-12-23 11:30:00 +01:00
parent ba581f22ed
commit 33c41b55bb
2 changed files with 22 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
changelog/unreleased/issue-131 Normal file
View File

@@ -0,0 +1,16 @@
Security: Prevent loading of usernames containing a slash
"/" is valid char in HTTP authorization headers, but is also used in
rest-server to map usernames to private repos.
This commit prevents loading maliciously composed usernames like
"/foo/config" by restricting the allowed characters to the unicode
character class, numbers, "-", "." and "@".
This prevents requests to other users files like:
curl -v -X DELETE -u foo/config:attack http://localhost:8000/foo/config
https://github.com/restic/rest-server/issues/131
https://github.com/restic/rest-server/pull/132