Impact
The exploit allows anyone with access to endpoints to download files outside the intended directory. Initially discovered in #1105
Patches
A patch has been applied and a release made. Users should upgrade to >= v8.12.7
Workarounds
If users don't with to upgrade, they can manually apply the changes from commit 23ac5dd
References
Commit 23ac5dd can be referenced to see the vulnerable code.
Essentially:
@blueprint.route('/note_attachment/<filename>')
def send_note_attachment(filename):
"""Return a file from the note attachment directory"""
file_path = os.path.join(PATH_NOTE_ATTACHMENTS, filename)
return send_file(file_path, as_attachment=True)This allows someone to use relative paths in their query to obtain files outside the PATH_NOTE_ATTACHMENTS directory.
Fixed with:
@blueprint.route('/note_attachment/<filename>')
def send_note_attachment(filename):
"""Return a file from the note attachment directory"""
file_path = os.path.join(PATH_NOTE_ATTACHMENTS, filename)
if os.path.abspath(file_path).startswith(PATH_NOTE_ATTACHMENTS):
return send_file(file_path, as_attachment=True)For more information
If you have any questions or comments about this advisory:
haby0 Analyst
Impact
The exploit allows anyone with access to endpoints to download files outside the intended directory. Initially discovered in #1105
Patches
A patch has been applied and a release made. Users should upgrade to >= v8.12.7
Workarounds
If users don't with to upgrade, they can manually apply the changes from commit 23ac5dd
References
Commit 23ac5dd can be referenced to see the vulnerable code.
Essentially:
This allows someone to use relative paths in their query to obtain files outside the PATH_NOTE_ATTACHMENTS directory.
Fixed with:
For more information
If you have any questions or comments about this advisory: