Broken Path Sanitization in spacecookie Library
The spacecookie library exposes the functions
sanitizePath and sanitizeIfNotUrl intended to
remove .. components from paths which can be used to
prevent path traversal attacks. Due to erroneous comparison code, this
elimination is not actually performed which has been remedied in version
1.0.0.3 by properly comparing using equalFilePath.
Any user of those respective functions of any version of spacecookie
should upgrade to 1.0.0.3 or later. Note that the spacecookie server
executable included in the same package is not affected by the problem
since a separate check would reject any malicious path that gets by
sanitizePath.
Info
- Published
- May 06, 2025
- Modified
- May 06, 2025
- CAPECs
- 126
- CWEs
- 23
- Keywords
- gopher, path-traversal
- Aliases
- < none >
- Related
- < none >
- References
- [FIX] https://github.com/sternenseemann/spacecookie/commit/2854a8a70833e7abdeeff3c02596a6f2a2f35c61
Affected
spacecookie
- CVSS
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Versions
>=0.2.0.0 && <1.0.0.3- Declarations
Network.Gopher.Util.sanitizeIfNotUrl:>=1.0.0.0 && <1.0.0.3Network.Gopher.Util.sanitizePath:>=1.0.0.0 && <1.0.0.3Network.Gopher.Util.santinizeIfNotUrl:>=0.2.0.0 && <1.0Network.Gopher.Util.santinizePath:>=0.2.0.0 && <1.0