I fudged up the title for devlog 4, but today I found a fun bug.
I was looking through the logs for my server and I saw some interesting errors. Mainly with people using invalid uris. But then I thought more about URIs.
I realized the logic I had to take a requested URI and translate it to a file was flawed. It took the URI as provided, grabbed it's path then just combined that with the document root.
That's very much a bad idea
The capsule was configured to serve files from /var/gemini so if you requested /gemlog/a-post.gmi you'd be served: /var/gemini/gemlog/a-post.gmi
Now if you requested: /gemlog/../file.gmi you'd be served: /var/gemini/file.gmi
But where this becomes an issue is: /../../file.txt you've now requested /file.txt which is from the root of the filesystem. Which means with two back paths you can request any file on the system.
- Path docPath = Paths.get(docRoot, path); + // Normalize the URI path before we append it to our docRoot + // This will ensure you can' /var/gemini/../../etc/passwd for example + Path docPath = Paths.get(docRoot, Path.of(path).normalize().toString()).normalize();
I looked at all the files requested and no one in the 400 or so requests (100 or so of are my own) and no one used a back path.
While I don't actually serve any sensitive content and I was serving data from a docker container so it was sandboxed.
If you rolled your own server, or are using a super lightweight server, check how it handles relative paths or things like symlinks and other tricky file system features that could provide a way for some malicious or curious user to do what you weren't expecting.
=> [https] Java Gemini Server Source | Gemlog | Home This content has been proxied by September (ba2dc).Proxy Information
text/gemini; lang=en;