the server has a minor path traversal issue #6
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
I recently submitted a fix for the tilde.chat wiki for a path traversal issue which allows serving any .md file from the local filesystem. I don't think that has any actual danger since the files will likely be public files from program documentary, still I thought it should be fixed. At the time I was not aware that the wiki code was forked, so I didn't propose the same fix for the wiki.php project.
I just noticed when the xss fix was posted, this means that the path does not directly work, but it should be easy to adapt.
c2ec0439df
This fix may have fixed the xss issue as well, I am not sure.
Oh, this isn't the tilde.chat wiki system. wiki.php is an independent project, with a somewhat uncreative name :)
However, I'm torn on if the traversal of the articles and includes pages are a bug, or a feature?
It could be handy to allow downloading of raw .md files.
i guess it should at least trap ../ in some way
since the path comes from the user