Dear users of Akka HTTP and Spray,
We have just released akka-http 2.4.11 and spray 1.3.4 with a critical
security update for users running akka-http servers on Windows. We were
notified (akka/akka-http#346 <https://github.com/akka/akka-http/issues/346>)
that on Windows akka-http’s `getFromDirectory`, `getFromBrowseableDirectory`,
`getFromBrowseableDirectories`, and `listDirectoryContents` directives
unintentionally allow access to directories and files outside of the
specified directory. All directories and files on the same drive as the
specified directory for which the server process has sufficient permissions may
be downloaded or browsed. This can be easily exploited by using a specially
crafted URI. For example, such specially crafted request
http://localhost:8080/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows/win.ini
when handles by one of the affected directives, could expose your win.ini
(and potentially any other file) to the attacker.
Please update to the latest version of akka-http as soon as possible.
Affected configurations:
-
OS: Windows
-
Modules
-
akka-http-experimental prior to 2.4.11
-
spray-routing and spray-routing-shapeless2 prior to 1.3.4
-
Affected directives:
-
getFromDirectory
-
getFromBrowseableDirectory
-
getFromBrowseableDirectories
-
listDirectoryContents
Fixed versions:
-
akka-http-experimental 2.4.11
-
akka-http-experimental 2.0.5
-
spray 1.3.4
Following best security practices it is furthermore recommended to run the
web server process with user credentials with as few permissions as
possible to prevent unintended file access. Furthermore, we suggest using
Linux servers and/or containers for hosting Akka HTTP applications, as
these OSes receive more scrutiny than any other OS just because of the
overwhelming number of installations running on Linux.
Please note that we have also updated Spray 1.3, even though it is slowly
reaching it’s end of life, and will be deprecated with the upcoming (very
soon) stable release of Akka HTTP. Please update to the latest version of
Spray if you are using it, and be prepared to move onwards to Akka HTTP
soon.
Many thanks go to @roikonen for reporting the problem, @2beaucoup for
providing a fix and @rbudzko and @jypma for providing advice for fixing the
problem.
--
Patrik Nordwall
Akka Tech Lead
Lightbend <http://www.lightbend.com/> - Reactive apps on the JVM
Twitter: @patriknw
--
>>>>>>>>>> Read the docs: http://akka.io/docs/
>>>>>>>>>> Check the FAQ:
>>>>>>>>>> http://doc.akka.io/docs/akka/current/additional/faq.html
>>>>>>>>>> Search the archives: https://groups.google.com/group/akka-user
---
You received this message because you are subscribed to the Google Groups "Akka
User List" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to akka-user+unsubscr...@googlegroups.com.
To post to this group, send email to akka-user@googlegroups.com.
Visit this group at https://groups.google.com/group/akka-user.
For more options, visit https://groups.google.com/d/optout.
