#2003 closed defect (fixed)
The static cache should not allow cache keys containing '../'
Reported by: | Nicklas Nordborg | Owned by: | everyone |
---|---|---|---|
Priority: | blocker | Milestone: | BASE 3.7.2 |
Component: | core | Version: | |
Keywords: | Cc: |
Description (last modified by )
This results in cache files being created (or read) outside the designated directory for user files (as configured in base.config).
This issue affects BASE versions between 2.11 (the static cache was introduced by #1261) and 3.7.1. We recommend all BASE user to upgrade to BASE 3.7.2.
A temporary workaround is to disable the static cache by setting cache.static.disabled = true
in the base.config
file. Do not forget to restart the BASE web server.
Change History (2)
comment:1 by , 9 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
comment:2 by , 9 years ago
Description: | modified (diff) |
---|
Note:
See TracTickets
for help on using tickets.
(In [7137]) Fixes #2003: The static cache should not allow cache keys containing '../'
The validation of keys now include a check for '../'.
As an extra safety the canonical path of the files created from the keys are verified to be sub-paths to the root path of the cache.