Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Hi,
there has been a directory traversal bug in servefile, it was fixed in
version 0.4.4. I talked to the Debian security team and they said a DSA
would not be necessary and recommended doing a stable-pu. Therefore
I'd like to propose an update to 0.4.4 (debdiff attached).
Greetings,
seba
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.1.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru servefile-0.4.3/ChangeLog servefile-0.4.4/ChangeLog
--- servefile-0.4.3/ChangeLog 2013-12-28 01:55:41.0 +0100
+++ servefile-0.4.4/ChangeLog 2015-11-10 21:05:35.0 +0100
@@ -1,6 +1,18 @@
servefile changelog
===
+2015-11-10 v0.4.4
+-
+
+ 0.4.4 released
+
+ * prefer using TLS1.2/TLS1 with --ssl if available
+ * issue v3 certificates for self signed certificates with --ssl
+ * removed lots of unnecessary error output
+ * fixed a bug where wrong ranges were used on a HEAD request in directory listing mode
+ * fixed a bug where directory listing mode allowed path traversal
+
+
2013-12-28 v0.4.3
-
diff -Nru servefile-0.4.3/debian/changelog servefile-0.4.4/debian/changelog
--- servefile-0.4.3/debian/changelog 2014-08-12 22:11:04.0 +0200
+++ servefile-0.4.4/debian/changelog 2015-11-11 15:52:59.0 +0100
@@ -1,3 +1,9 @@
+servefile (0.4.4-1~deb8u1) jessie; urgency=high
+
+ * New upstream version
+
+ -- Sebastian Lohff <s...@someserver.de> Tue, 10 Nov 2015 21:22:17 +0100
+
servefile (0.4.3-1) unstable; urgency=low
* New upstream version
diff -Nru servefile-0.4.3/debian/control servefile-0.4.4/debian/control
--- servefile-0.4.3/debian/control 2014-08-13 00:41:01.0 +0200
+++ servefile-0.4.4/debian/control 2015-11-10 21:27:07.0 +0100
@@ -3,7 +3,7 @@
Priority: optional
Maintainer: Sebastian Lohff <s...@someserver.de>
Build-Depends: debhelper (>= 9.0~), python
-Standards-Version: 3.9.5
+Standards-Version: 3.9.6
Homepage: http://seba-geek.de/stuff/servefile/
Package: servefile
diff -Nru servefile-0.4.3/PKG-INFO servefile-0.4.4/PKG-INFO
--- servefile-0.4.3/PKG-INFO 2013-12-28 02:31:38.0 +0100
+++ servefile-0.4.4/PKG-INFO 2015-11-10 21:13:09.0 +0100
@@ -1,6 +1,6 @@
Metadata-Version: 1.0
Name: servefile
-Version: 0.4.3
+Version: 0.4.4
Summary: Serve files from shell via a small HTTP server
Home-page: http://seba-geek.de/stuff/servefile/
Author: Sebastian Lohff
diff -Nru servefile-0.4.3/servefile servefile-0.4.4/servefile
--- servefile-0.4.3/servefile 2013-12-28 02:21:57.0 +0100
+++ servefile-0.4.4/servefile 2015-11-10 20:54:36.0 +0100
@@ -7,7 +7,7 @@
from __future__ import print_function
-__version__ = '0.4.3'
+__version__ = '0.4.4'
import argparse
import base64
@@ -16,7 +16,6 @@
import mimetypes
import urllib
import os
-import posixpath
import re
import select
import socket
@@ -102,7 +101,7 @@
try:
fromto[0] = int(fromto[0])
fromto[1] = int(fromto[1])
- except:
+ except ValueError:
return (False, None)
if fromto[0] >= fileLength or fromto[0] < 0 or fromto[1] >= fileLength or fromto[1]-fromto[0] < 0:
@@ -154,11 +153,7 @@
self.end_headers()
block = self.getChunk(myfile, fromto)
while block:
- try:
-self.wfile.write(block)
- except socket.error as e:
-print("%s ABORTED transmission (Reason %s: %s)" % (self.client_address[0], e[0], e[1]))
-return False
+ self.wfile.write(block)
block = self.getChunk(myfile, fromto)
myfile.close()
print("%s finished downloading %s" % (self.client_address[0], filePath))
@@ -310,6 +305,15 @@
""" Send file or directory index, depending on requested path """
path = self.getCleanPath()
+ # check if path is in current serving directory
+ currBaseDir = os.path.abspath(self.targetDir) + os.path.sep
+ requestPath = os.path.normpath(os.path.join(currBaseDir, path)) + os.path.sep
+ if not requestPath.startswith(currBaseDir):
+ self.send_response(301)
+ self.send_header("Location", '/')
+ self.end_headers()
+ return
+
if os.path.isdir(path):
if not self.path.endswith('/'):
self.send_response(301)
@@ -325,7 +329,7 @@
self.end_headers()
else:
self.send_response(200)
- self.sendContentHeaders(self, path, length)
+ self.sendContentHeaders(path, length)
self.end_headers()
else:
self.sendFile(path, head)
@@ -406,7 +410,7 @@
- """ % {'path': posixpath.normpath(urllib.unquote(self.path))}
+ """ % {'path': os.p