Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
CVE-2024-23334 目录穿越
aiohttp是一个用于asyncio和Python的异步HTTP客户端/服务器框架。当使用aiohttp作为web服务器并配置静态路由时,有必要指定静态文件的根路径。此外,选项
follow_symlinks
可用于确定是否遵循静态根目录之外的符号链接。当
follow_symlinks
设置为True
时,不需要验证读取文件是否在根目录中。这可能导致目录遍历漏洞,导致未经授权访问系统上的任意文件,即使不存在符号链接。禁用
follow_symlinks
和可使用反向代理缓解措施。3.9.2版修复了此问题。
参考链接:
环境搭建
执行如下命令启动一个aiohttp:3.9.1:
环境启动后,访问
http://your-ip:8080/cas/login
即可查看到登录页面。漏洞复现