You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@bookkeeper.apache.org by "Shawyeok (via GitHub)" <gi...@apache.org> on 2023/06/11 10:19:58 UTC
[GitHub] [bookkeeper] Shawyeok opened a new pull request, #3982: Fix vertx httpserver arbitrary file upload vulnerability
Shawyeok opened a new pull request, #3982:
URL: https://github.com/apache/bookkeeper/pull/3982
### Motivation
There is a potential arbitrary file upload vulnerability with `httpServerEnabled=true`, it's caused by `BodyHandler.create()` which returns a BodyHandler that automatically processes file upload requests.
https://github.com/apache/bookkeeper/blob/7f64246ad38981126cc8dd929ff448805a738b8f/bookkeeper-http/vertx-http-server/src/main/java/org/apache/bookkeeper/http/vertx/VertxHttpServer.java#L82
This simple command will upload a file into the `file-uploads` directory under the bookkeeper server process `CWD`.
```shell
$ curl -i --request POST \
--url http://localhost:8000/api/v1/bookie/info \
--header 'Content-Type: multipart/form-data' \
--form file=@<a-path-of-the-file>
$ ls
LICENSE NOTICE README.md bin conf deps file-uploads lib logs scripts
$ ls file-uploads
758801ba-ea1e-49e3-85d6-e510f539ea0d
```
### Changes
Create the `BodyHandler` with handleFileUploads disabled (`BodyHandler.create(false)`).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@bookkeeper.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [bookkeeper] zymap commented on pull request #3982: Fix arbitrary file upload vulnerability with httpServerEnabled
Posted by "zymap (via GitHub)" <gi...@apache.org>.
zymap commented on PR #3982:
URL: https://github.com/apache/bookkeeper/pull/3982#issuecomment-1586431104
@Shawyeok Please fix the checkstyle issue in your code.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@bookkeeper.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [bookkeeper] hangc0276 merged pull request #3982: Fix arbitrary file upload vulnerability with httpServerEnabled
Posted by "hangc0276 (via GitHub)" <gi...@apache.org>.
hangc0276 merged PR #3982:
URL: https://github.com/apache/bookkeeper/pull/3982
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@bookkeeper.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [bookkeeper] Shawyeok commented on pull request #3982: Fix arbitrary file upload vulnerability with httpServerEnabled
Posted by "Shawyeok (via GitHub)" <gi...@apache.org>.
Shawyeok commented on PR #3982:
URL: https://github.com/apache/bookkeeper/pull/3982#issuecomment-1586499493
> @Shawyeok Please fix the checkstyle issue in your code.
@Shoothzj Fixed, PTAL
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@bookkeeper.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org