Fixing a path traversal vuln. in the file_server emulator

[hun7err]

Unsanitized file path lead to a path traversal vulnerability in the file_server emulator allowing glastopf to read arbitrary files including configuration and the database file.

[glaslos]

Nice catch. Should be probably also fixed here: https://github.com/mushorg/glastopf/blob/master/glastopf/modules/classification/request.py#L84
Also check out SNARE and TANNER: https://github.com/mushorg/snare which succeed Glastopf

[hun7err]

Thanks! I've just created a PR for request.py as well. Thank you for recommending snare, wouldn't have known about it otherwise :)

[katkad]

Hello, nice catch.

Can you please share a reproducer ? I am trying to accomplish path traversal in my glastopf.

[hun7err]

Thanks and sorry for the late answer,

http://example.com/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd

was a url that worked for me.

[katkad]

@hun7err thank you very much. nice catch indeed