ubergeek
/
wiki.php
3
3
Fork 1
Code Issues 3 Pull Requests Releases Wiki Activity

the server has a minor path traversal issue #6

New Issue
Open
opened 2023-04-11 20:47:28 +00:00 by alexlehm · 3 comments
alexlehm commented 2023-04-11 20:47:28 +00:00
Copy Link

I recently submitted a fix for the tilde.chat wiki for a path traversal issue which allows serving any .md file from the local filesystem. I don't think that has any actual danger since the files will likely be public files from program documentary, still I thought it should be fixed. At the time I was not aware that the wiki code was forked, so I didn't propose the same fix for the wiki.php project.

I just noticed when the xss fix was posted, this means that the path does not directly work, but it should be easy to adapt.

c2ec0439df

This fix may have fixed the xss issue as well, I am not sure.

I recently submitted a fix for the tilde.chat wiki for a path traversal issue which allows serving any .md file from the local filesystem. I don't think that has any actual danger since the files will likely be public files from program documentary, still I thought it should be fixed. At the time I was not aware that the wiki code was forked, so I didn't propose the same fix for the wiki.php project. I just noticed when the xss fix was posted, this means that the path does not directly work, but it should be easy to adapt. https://tildegit.org/alexlehm/tilde.chat/commit/c2ec0439df79ed6e906b0821d8fba8166a55b183 This fix may have fixed the xss issue as well, I am not sure.
ubergeek commented 2023-04-13 17:52:35 +00:00
Owner
Copy Link

Oh, this isn't the tilde.chat wiki system. wiki.php is an independent project, with a somewhat uncreative name :)

Oh, this isn't the tilde.chat wiki system. wiki.php is an independent project, with a somewhat uncreative name :)
ubergeek commented 2023-04-13 17:54:08 +00:00
Owner
Copy Link

However, I'm torn on if the traversal of the articles and includes pages are a bug, or a feature?

It could be handy to allow downloading of raw .md files.

However, I'm torn on if the traversal of the articles and includes pages are a bug, or a feature? It could be handy to allow downloading of raw .md files.
alexlehm commented 2023-04-14 16:20:40 +00:00
Author
Copy Link

i guess it should at least trap ../ in some way

since the path comes from the user

i guess it should at least trap ../ in some way since the path comes from the user
👍 1
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
parsedown
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: ubergeek/wiki.php#6
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?