mirror of
https://github.com/restic/rest-server.git
synced 2025-12-07 09:36:13 -08:00
20 lines
1.0 KiB
Plaintext
20 lines
1.0 KiB
Plaintext
Security: Stricter path sanitization
|
|
|
|
The framework we're using in rest-server to decode paths to repositories
|
|
allowed specifying URL-encoded characters in paths, including sensitive
|
|
characters such as `/` (encoded as `%2F`).
|
|
|
|
We've changed this unintended behavior, such that rest-server now rejects
|
|
such paths. In particular, it is no longer possible to specify sub-repositories
|
|
for users by encoding the path with `%2F`, such as `http://localhost:8000/foo%2Fbar`,
|
|
which means that this will unfortunately be a breaking change in that case.
|
|
|
|
If using sub-repositories for users is important to you, please let us know in
|
|
the forum, so we can learn about your use case and implement this properly. As
|
|
it currently stands, the ability to use sub-repositories was an unintentional
|
|
feature made possible by the URL decoding framework used, and hence never meant
|
|
to be supported in the first place. If we wish to have this feature in
|
|
rest-server, we'd like to have it implemented properly and intentionally.
|
|
|
|
https://github.com/restic/rest-server/issues/117
|