| packages: |
| - module: aahframe.work |
| symbols: |
| - HTTPEngine.Handle |
| derived_symbols: |
| - Application.Run |
| - Application.ServeHTTP |
| - Application.Start |
| versions: |
| - fixed: 0.12.4 |
| description: | |
| Due to improper santization of user input, HTTPEngine.Handle allows |
| for directory traversal, allowing an attacker to read files outside of |
| the target directory that the server has permission to read. |
| published: 2021-04-14T20:04:52Z |
| credit: '@snyff' |
| links: |
| pr: https://github.com/go-aah/aah/pull/267 |
| commit: https://github.com/go-aah/aah/commit/881dc9f71d1f7a4e8a9a39df9c5c081d3a2da1ec |
| context: |
| - https://github.com/go-aah/aah/issues/266 |