Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#2003 closed defect (fixed)

The static cache should not allow cache keys containing '../'

Reported by: Nicklas Nordborg Owned by: everyone
Priority: blocker Milestone: BASE 3.7.2
Component: core Version:
Keywords: Cc:

Description (last modified by Nicklas Nordborg)

This results in cache files being created (or read) outside the designated directory for user files (as configured in base.config).

This issue affects BASE versions between 2.11 (the static cache was introduced by #1261) and 3.7.1. We recommend all BASE user to upgrade to BASE 3.7.2.

A temporary workaround is to disable the static cache by setting cache.static.disabled = true in the base.config file. Do not forget to restart the BASE web server.

Change History (2)

comment:1 Changed 5 years ago by Nicklas Nordborg

Resolution: fixed
Status: newclosed

(In [7137]) Fixes #2003: The static cache should not allow cache keys containing '../'

The validation of keys now include a check for '../'.

As an extra safety the canonical path of the files created from the keys are verified to be sub-paths to the root path of the cache.

comment:2 Changed 5 years ago by Nicklas Nordborg

Description: modified (diff)
Note: See TracTickets for help on using tickets.