[BUG] Files accessible through axolotl #140
Comments
|
I will fix it asap, thanks for reporting |
|
@nanu-c my idea of fixing this would be to use the filename instead the full path as parameter. Should I give it a shot? |
|
For sure, if you want to try it. But the problem is, that the attachment has the fullpath and asks for it. |
|
Actually this bug is not so important in confined envirments. Nevertheless it's fixed now |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Through /attachments I have access to every file axolotl has access to. This is especially problematic when the webserver isn't restricted to localhost because then everyone in the network can access the files.
Steps to Reproduce
Open
http://localhost:9080/attachments?file=/etc/passwd in a browser
Expected behavior:
Browser gets a 403 for every file outside of the attachments folder.
Actual behavior:
I get the contents of /etc/passwd
Versions
0.8.2
The text was updated successfully, but these errors were encountered: