security hole in storage

WS-PGRADE/gUSE grid and cloud science gateway framework

Brought to you by: akosbalasko, i-mi, zfarkas

#210 security hole in storage

Milestone: 3.6.2

Status: closed

Owner: Karóczkai Krisztián

Labels: None

Priority: 7

Updated: 2014-08-14

Created: 2014-02-25

Creator: Bela Hullar

Private: No

the getFile method of storage should only accept a path which points to a file in the storage folder and/or it should use some kind of authentication.
The following call works with guse version 3.5.7 and also with 3.6.2 and returns a file from the user directory. In the same way arbitrary file can be accessed by anyone.
:8080/storage/getFile?path=../users/.quota

Discussion

Zoltán Farkas - 2014-02-25

assigned_to: Karóczkai Krisztián
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Karóczkai Krisztián - 2014-08-14

status: open --> closed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Karóczkai Krisztián - 2014-08-14

Fixed

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

security hole in storage

WS-PGRADE/gUSE grid and cloud science gateway framework

Group

Searches

Help

#210 security hole in storage

Discussion