Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/crypto/acme/autocert: httpTokenCacheKey allows limited directory traversal on windows #53082

Closed
rolandshoemaker opened this issue May 25, 2022 · 1 comment
Closed

x/crypto/acme/autocert: httpTokenCacheKey allows limited directory traversal on windows #53082

rolandshoemaker opened this issue May 25, 2022 · 1 comment
Labels
FrozenDueToAge OS-Windows Security
Milestone
Unreleased

Comments

@rolandshoemaker
Copy link
Member

httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Window path.Base acts differently to filepath.Base since Windows uses a different path separator (\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\..\asd becomes ..\..\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened.

Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix.

Thanks to Juho Nurminen of Mattermost for reporting this.

This is CVE-2022-30636.
@gopherbot gopherbot added this to the Unreleased milestone May 25, 2022
@rolandshoemaker
Copy link
Member Author

Fixed by https://go.dev/cl/408694.

@golang golang locked and limited conversation to collaborators May 26, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge OS-Windows Security
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
2 participants
@rolandshoemaker @gopherbot