{"id":75984,"date":"2020-01-20T12:47:44","date_gmt":"2020-01-20T07:17:44","guid":{"rendered":"https:\/\/www.vskills.in\/certification\/tutorial\/?p=75984"},"modified":"2024-04-12T14:17:43","modified_gmt":"2024-04-12T08:47:43","slug":"directory-traversal-2","status":"publish","type":"page","link":"https:\/\/www.vskills.in\/certification\/tutorial\/directory-traversal-2\/","title":{"rendered":"Directory Traversal"},"content":{"rendered":"

Directory traversal is another injection-style attack, wherein a malicious user tricks filesystem code into reading and\/or writing files that the Web server shouldn\u2019t have access to. An example might be a view that reads files from the disk without carefully sanitizing the file name:<\/p>\n

def dump_file(request):
\nfilename = request.GET[“filename”]\nfilename = os.path.join(BASE_PATH, filename)
\ncontent = open(filename).read()
\n# …<\/p>\n

Though it looks like that view restricts file access to files beneath BASE_PATH (by using os.path.join), if the attacker passes in a filename containing .. (that\u2019s two periods, a shorthand for \u201cthe parent directory\u201d), she can access files \u201cabove\u201d BASE_PATH. It\u2019s only a matter of time before she can discover the correct number of dots to successfully access, say, ..\/..\/..\/..\/..\/etc\/passwd. Anything that reads files without proper escaping is vulnerable to this problem. Views that write files are just as vulnerable, but the consequences are doubly dire.
\nAnother permutation of this problem lies in code that dynamically loads modules based on the URL or other request information. A well-publicized example came from the world of Ruby on Rails. Prior to mid-2006, Rails used URLs like http:\/\/example.com\/person\/poke\/1 directly to load modules and call methods. The result was that a carefully constructed URL could automatically load arbitrary code, including a database reset script!<\/p>\n

The Solution<\/strong> – If your code ever needs to read or write files based on user input, you need to sanitize the requested path very carefully to ensure that an attacker isn\u2019t able to escape from the base directory you\u2019re restricting access to.<\/p>\n

Note<\/strong> – Needless to say, you should never write code that can read from any area of the disk!
\nA good example of how to do this escaping lies in Django\u2019s built-in static content-serving view (in
\ndjango.views.static). Here\u2019s the relevant code:<\/p>\n

import os
\nimport posixpath
\n# …
\npath = posixpath.normpath(urllib.unquote(path))
\nnewpath = ”
\nfor part in path.split(‘\/’):
\nif not part:
\n# strip empty path components
\ncontinue
\ndrive, part = os.path.splitdrive(part)
\nhead, part = os.path.split(part)
\nif part in (os.curdir, os.pardir):
\n# strip ‘.’ and ‘..’ in path
\ncontinue
\nnewpath = os.path.join(newpath, part).replace(‘\\\\’, ‘\/’)<\/p>\n

Django doesn\u2019t read files (unless you use the static.serve function, but that\u2019s protected with the code just shown), so this vulnerability doesn\u2019t affect the core code much.
\nIn addition, the use of the URLconf abstraction means that Django will never load code you\u2019ve not explicitly told it to load. There\u2019s no way to create a URL that causes Django to load something not mentioned in a URLconf.<\/p>\n\n\n

Back to Tutorial<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Directory traversal is another injection-style attack, wherein a malicious user tricks filesystem code into reading and\/or writing files that the Web server shouldn\u2019t have access to. An example might be a view that reads files from the disk without carefully sanitizing the file name: def dump_file(request): filename = request.GET[“filename”] filename = os.path.join(BASE_PATH, filename) content =…<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"categories":[8655],"tags":[2673],"class_list":["post-75984","page","type-page","status-publish","hentry","category-django-web-development","tag-directory-traversal"],"acf":[],"yoast_head":"\nDirectory Traversal - Tutorial<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.vskills.in\/certification\/tutorial\/directory-traversal-2\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Directory Traversal - Tutorial\" \/>\n<meta property=\"og:description\" content=\"Directory traversal is another injection-style attack, wherein a malicious user tricks filesystem code into reading and\/or writing files that the Web server shouldn\u2019t have access to. An example might be a view that reads files from the disk without carefully sanitizing the file name: def dump_file(request): filename = request.GET[“filename”] filename = os.path.join(BASE_PATH, filename) content =...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.vskills.in\/certification\/tutorial\/directory-traversal-2\/\" \/>\n<meta property=\"og:site_name\" content=\"Tutorial\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/vskills.in\/\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-12T08:47:43+00:00\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/directory-traversal-2\/\",\"url\":\"https:\/\/www.vskills.in\/certification\/tutorial\/directory-traversal-2\/\",\"name\":\"Directory Traversal - Tutorial\",\"isPartOf\":{\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/#website\"},\"datePublished\":\"2020-01-20T07:17:44+00:00\",\"dateModified\":\"2024-04-12T08:47:43+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/directory-traversal-2\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.vskills.in\/certification\/tutorial\/directory-traversal-2\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/directory-traversal-2\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.vskills.in\/certification\/tutorial\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Directory Traversal\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/#website\",\"url\":\"https:\/\/www.vskills.in\/certification\/tutorial\/\",\"name\":\"Tutorial\",\"description\":\"Vskills - A initiative in elearning and certification\",\"publisher\":{\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.vskills.in\/certification\/tutorial\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/#organization\",\"name\":\"Vskills\",\"url\":\"https:\/\/www.vskills.in\/certification\/tutorial\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.vskills.in\/certification\/tutorial\/wp-content\/uploads\/2017\/07\/vskills-min-logo.jpg\",\"contentUrl\":\"https:\/\/www.vskills.in\/certification\/tutorial\/wp-content\/uploads\/2017\/07\/vskills-min-logo.jpg\",\"width\":73,\"height\":55,\"caption\":\"Vskills\"},\"image\":{\"@id\":\"https:\/\/www.vskills.in\/certification\/tutorial\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/vskills.in\/\",\"https:\/\/x.com\/vskills_in\",\"https:\/\/www.linkedin.com\/company-beta\/1371554\/\",\"https:\/\/www.youtube.com\/channel\/UCMWnscxPwRF_PqXo9B7q_Tw\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Directory Traversal - Tutorial","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.vskills.in\/certification\/tutorial\/directory-traversal-2\/","og_locale":"en_US","og_type":"article","og_title":"Directory Traversal - Tutorial","og_description":"Directory traversal is another injection-style attack, wherein a malicious user tricks filesystem code into reading and\/or writing files that the Web server shouldn\u2019t have access to. An example might be a view that reads files from the disk without carefully sanitizing the file name: def dump_file(request): filename = request.GET[“filename”] filename = os.path.join(BASE_PATH, filename) content =...","og_url":"https:\/\/www.vskills.in\/certification\/tutorial\/directory-traversal-2\/","og_site_name":"Tutorial","article_publisher":"https:\/\/www.facebook.com\/vskills.in\/","article_modified_time":"2024-04-12T08:47:43+00:00","twitter_misc":{"Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.vskills.in\/certification\/tutorial\/directory-traversal-2\/","url":"https:\/\/www.vskills.in\/certification\/tutorial\/directory-traversal-2\/","name":"Directory Traversal - Tutorial","isPartOf":{"@id":"https:\/\/www.vskills.in\/certification\/tutorial\/#website"},"datePublished":"2020-01-20T07:17:44+00:00","dateModified":"2024-04-12T08:47:43+00:00","breadcrumb":{"@id":"https:\/\/www.vskills.in\/certification\/tutorial\/directory-traversal-2\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.vskills.in\/certification\/tutorial\/directory-traversal-2\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.vskills.in\/certification\/tutorial\/directory-traversal-2\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.vskills.in\/certification\/tutorial\/"},{"@type":"ListItem","position":2,"name":"Directory Traversal"}]},{"@type":"WebSite","@id":"https:\/\/www.vskills.in\/certification\/tutorial\/#website","url":"https:\/\/www.vskills.in\/certification\/tutorial\/","name":"Tutorial","description":"Vskills - A initiative in elearning and certification","publisher":{"@id":"https:\/\/www.vskills.in\/certification\/tutorial\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.vskills.in\/certification\/tutorial\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.vskills.in\/certification\/tutorial\/#organization","name":"Vskills","url":"https:\/\/www.vskills.in\/certification\/tutorial\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.vskills.in\/certification\/tutorial\/#\/schema\/logo\/image\/","url":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-content\/uploads\/2017\/07\/vskills-min-logo.jpg","contentUrl":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-content\/uploads\/2017\/07\/vskills-min-logo.jpg","width":73,"height":55,"caption":"Vskills"},"image":{"@id":"https:\/\/www.vskills.in\/certification\/tutorial\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/vskills.in\/","https:\/\/x.com\/vskills_in","https:\/\/www.linkedin.com\/company-beta\/1371554\/","https:\/\/www.youtube.com\/channel\/UCMWnscxPwRF_PqXo9B7q_Tw"]}]}},"_links":{"self":[{"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/pages\/75984","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/comments?post=75984"}],"version-history":[{"count":4,"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/pages\/75984\/revisions"}],"predecessor-version":[{"id":83456,"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/pages\/75984\/revisions\/83456"}],"wp:attachment":[{"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/media?parent=75984"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/categories?post=75984"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.vskills.in\/certification\/tutorial\/wp-json\/wp\/v2\/tags?post=75984"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}