Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Directory Traversal Vulnerability in FileDownloader #1028

Closed
triwater opened this issue May 17, 2018 · 2 comments
Closed

Directory Traversal Vulnerability in FileDownloader #1028

triwater opened this issue May 17, 2018 · 2 comments
Labels
bug
Milestone
1.7.4

Comments

@triwater
Copy link

triwater commented May 17, 2018
edited
Loading

We have found a directory traversal vulnerability in FileDownloader, which may cause remote code execution.
For consideration of security, we do not reveal the detail of this vulnerability currently.
Welcome contact me by Email: tiamo_inter#foxmail.com

Update: CVE has assigned this vulnerability an ID: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11248
@rantianhua
Copy link
Collaborator

I've sent you an email.

@Jacksgong Jacksgong reopened this May 17, 2018
@Jacksgong
Copy link
Collaborator

Thanks for your report, this issue will be handled as soon as possible and if the response filename with such venom-case, we will end download with error status as default.

@Jacksgong Jacksgong added the bug label May 17, 2018
@Jacksgong Jacksgong modified the milestones: 1.7.4, okdownload May 17, 2018
Jacksgong added a commit that referenced this issue May 18, 2018
@Jacksgong
fix: cover the case of filename contain raise the directory traversal…
e8dd772 
… vulnerability

refs #1028
Jacksgong added a commit that referenced this issue May 18, 2018
@Jacksgong
chore: fix typo on the directory traversal vulnerability message
ff240b8 
refs #1028
@copernico copernico mentioned this issue Mar 25, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
1.7.4
Development

No branches or pull requests
3 participants
@Jacksgong @rantianhua @triwater