None

[haby0]

None

[sampsyo]

Good question! Could you please email me directly at adrian@radbox.org?

[sampsyo]

I have no objection in principle. But could you perhaps clarify what work/responsibilities this would require of the project maintainers?

[sampsyo]

OK! Maybe you could help out by writing up the description for the disclosure filing?

For that, I think a super useful step to make things more concrete would be to demonstrate a proof of concept. As I mentioned in the message for #4160, I'm actually not 100% clear on whether this is exploitable—namely, it seems like you would want to construct an img_filename like ../foo/bar.txt, but I don't think the Flask URL parser would allow slashes in the chunk of the URL denoted by the <string:image_id> pattern. So maybe a little more homework to demonstrate/describe exactly how this works would be helpful for the process?

[sampsyo]

As I mentioned above, can you please include a proof of concept, i.e., a concrete example of a path that you have tried requesting and which demonstrates an out-of-directory read?

[sampsyo]

Hi, @haby0—have you actually tried out this request in a running server? As I asked above, it would be really useful to see a demonstration, i.e., an execution showing Flask actually parsing this URL and actually generating a "bad" filename.

In particular, I think your example only works on Windows? Is that the case? I don't think other OSes interpret \ as directory separators. If so, maybe this is worth mentioning in the disclosure?

(This is why I have been asking for an actual, concrete demonstration instead of just high-level output from a static analysis tool. It seems important to do some digging to understand exactly what is possible and how so we can put actionable, truthful information in a disclosure.)

[sampsyo]

Those are both intriguing statements—do you think you could provide more details on both of those? For example, actual terminal output from the Windows execution could be great. And I don't exactly see how fuzzing would apply here—which fuzzer did you use, with what configuration, etc.?

[sampsyo]

From @haby0 via email:

Text proof.

There is no local proof that the vulnerability exists, I will not send it to you, it will not do me any good...

Path injection of Flask String type under Windows.docx

The attachment appears to consist of screenshots of a small Flask app handcrafted to show a path injection vulnerability. It is not a demonstration in beets itself. It does, however, seem to suggest that backslashes are enough to craft an out-of-directory read specifically on Windows.

Anyway, I guess we can take it from here. @haby0, while we appreciate your report, this has been an extremely difficult process because of how hard it has been to get details and cooperation from you. I'm not sure you're aware of this, but your messages have been vague and very short on details, which makes it really hard to take action based on your input. You seem to have some motivation that is not aligned with helping the project; perhaps there is some incentive to file CVEs even without deep understanding of the underlying problem. I need to respectfully ask you to disengage at this point; the maintainers may be able to get around to creating the vulnerability report, but it may take some time. Additional "bumps" to remind us to do so will not be helpful.