Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Directory traversal with static resource handling (CVE-2014-3625) [SPR-12354] #16959

Closed
spring-projects-issues opened this issue Oct 20, 2014 · 0 comments
Closed

Directory traversal with static resource handling (CVE-2014-3625) [SPR-12354] #16959

spring-projects-issues opened this issue Oct 20, 2014 · 0 comments
Assignees
@rstoyanchev
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Milestone
4.1.2

Comments

@spring-projects-issues
Copy link
Collaborator

Rossen Stoyanchev opened SPR-12354 and commented

This is related to the "directory traversal" report CVE-2014-3625.

Affects: 3.2.11, 4.0.7, 4.1.1

Referenced from: commits 1214624, 379d2e6, 3f68cd6, 161d3e3, 9beae9a, 9cef8e3

Backported to: 4.0.8, 3.2.12
@spring-projects-issues spring-projects-issues added type: bug A general bug status: backported An issue that has been backported to maintenance branches in: web Issues in web modules (web, webmvc, webflux, websocket) labels Jan 11, 2019
@spring-projects-issues spring-projects-issues added this to the 4.1.2 milestone Jan 11, 2019
This was referenced Jan 11, 2019
Closed
Closed
bclozel added a commit to bclozel/spring-framework that referenced this issue Feb 26, 2019
@bclozel
Restrict resource handling checks to incoming path
d2be4d8 
Prior to this commit, the `PathResourceResolver` would check several
things before resolving static resources:

* make sure that the resolved resource is under an authorized location
* make sure that the whole resource path does not contain illegal chars
(combinations of URL encoded "%" chars and "../" path traversal)

In some cases, those checks may be too strict and limit legal usage like
the following:

1) configuring a static location such as "file: ../client-module/src"
2) trying to resolve an NPM-versioned resource like
"/modules/library@1.2.3.js"

This commit performs the invalid character checks on the incoming
resource path only, considering that the configured location path is
trusted by the user. The location checks are still performed.

See spring-projectsgh-16959
Closes gh-
@bclozel bclozel mentioned this issue Mar 8, 2019
Closed
@dependabot dependabot bot mentioned this issue Mar 11, 2021
Open
@cxronen cxronen mentioned this issue Mar 4, 2022
Open
@cxronen cxronen mentioned this issue Sep 20, 2022
Open
@cxronen cxronen mentioned this issue Nov 28, 2022
Open
@cxronen cxronen mentioned this issue Jan 26, 2023
Open
@cxronen cxronen mentioned this issue Mar 2, 2023
Open
@cxronen cxronen mentioned this issue Apr 13, 2023
Open
@cxronen cxronen mentioned this issue May 25, 2023
Open
@cxronen cxronen mentioned this issue Jul 19, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rstoyanchev rstoyanchev

Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Projects
None yet
Milestone
4.1.2
Development

No branches or pull requests
2 participants
@rstoyanchev @spring-projects-issues