-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
None #4111
Comments
Good question! Could you please email me directly at adrian@radbox.org? |
I have no objection in principle. But could you perhaps clarify what work/responsibilities this would require of the project maintainers? |
OK! Maybe you could help out by writing up the description for the disclosure filing? For that, I think a super useful step to make things more concrete would be to demonstrate a proof of concept. As I mentioned in the message for #4160, I'm actually not 100% clear on whether this is exploitable—namely, it seems like you would want to construct an |
As I mentioned above, can you please include a proof of concept, i.e., a concrete example of a path that you have tried requesting and which demonstrates an out-of-directory read? |
Hi, @haby0—have you actually tried out this request in a running server? As I asked above, it would be really useful to see a demonstration, i.e., an execution showing Flask actually parsing this URL and actually generating a "bad" filename. In particular, I think your example only works on Windows? Is that the case? I don't think other OSes interpret (This is why I have been asking for an actual, concrete demonstration instead of just high-level output from a static analysis tool. It seems important to do some digging to understand exactly what is possible and how so we can put actionable, truthful information in a disclosure.) |
Those are both intriguing statements—do you think you could provide more details on both of those? For example, actual terminal output from the Windows execution could be great. And I don't exactly see how fuzzing would apply here—which fuzzer did you use, with what configuration, etc.? |
From @haby0 via email:
The attachment appears to consist of screenshots of a small Flask app handcrafted to show a path injection vulnerability. It is not a demonstration in beets itself. It does, however, seem to suggest that backslashes are enough to craft an out-of-directory read specifically on Windows. Anyway, I guess we can take it from here. @haby0, while we appreciate your report, this has been an extremely difficult process because of how hard it has been to get details and cooperation from you. I'm not sure you're aware of this, but your messages have been vague and very short on details, which makes it really hard to take action based on your input. You seem to have some motivation that is not aligned with helping the project; perhaps there is some incentive to file CVEs even without deep understanding of the underlying problem. I need to respectfully ask you to disengage at this point; the maintainers may be able to get around to creating the vulnerability report, but it may take some time. Additional "bumps" to remind us to do so will not be helpful. |
None
The text was updated successfully, but these errors were encountered: