From: naruse@... Date: 2019-05-07T12:30:31+00:00 Subject: [ruby-core:92583] [Ruby trunk Bug#15835] Path traversal symlink - WEBrick Issue #15835 has been updated by naruse (Yui NARUSE). Status changed from Open to Feedback On Apache with `FollowSymLinks` enabled, it can traverse out of DocumentRoot. hxxps://httpd.apache.org/docs/2.4/en/urlmapping.html Therefore it's not a problem. ---------------------------------------- Bug #15835: Path traversal symlink - WEBrick https://bugs.ruby-lang.org/issues/15835#change-77945 * Author: Dhiraj (Dhiraj Mishra) * Status: Feedback * Priority: Normal * Assignee: * Target version: * ruby -v: 2.6.3 * Backport: 2.4: UNKNOWN, 2.5: UNKNOWN, 2.6: UNKNOWN ---------------------------------------- **Summary:** A path traversal issue was observed in WEBrick ( WEBrick/1.4.2 (Ruby/2.6.3/2019-04-16)) via symlink. WEBrick serves static page for the current directory once enabled, however using symlink attacker could view data outside the hosted/running directory. **Steps to reproduce:** > mkdir nothing > cd nothing > ln -s ../../ symlnk > ruby -run -ehttpd . -p8080 **Impact:** This would allow the attacker to view sensitive data outside the root/running directory. **Recommendation:** We can probably educate users about this behavior in the WebBrick documentation and providing a flag/parameter to disable/enable following symlinks. -- https://bugs.ruby-lang.org/ Unsubscribe: