blob: 44c259fb5d1153d6e1f599f2694d9f8ea43af3c2 [file] [log] [blame]
packages:
- module: aahframe.work
symbols:
- HTTPEngine.Handle
derived_symbols:
- Application.Run
- Application.ServeHTTP
- Application.Start
versions:
- fixed: 0.12.4
description: |
Due to improper santization of user input, HTTPEngine.Handle allows
for directory traversal, allowing an attacker to read files outside of
the target directory that the server has permission to read.
published: 2021-04-14T20:04:52Z
credit: '@snyff'
links:
pr: https://github.com/go-aah/aah/pull/267
commit: https://github.com/go-aah/aah/commit/881dc9f71d1f7a4e8a9a39df9c5c081d3a2da1ec
context:
- https://github.com/go-aah/aah/issues/266