Security problems with move / rename / etc.

[alanswx]

If I do a move with the dialog, and put in a path of ../../../hello it seems to move the file / directory beyond the root of our safe spot. I started working on a patch, but I think it effects copy/delete/edit etc. It seems like the upload safe's the name - I am not sure if I can hack the form and have it upload anywhere.

[alanswx]

I think this is fixed in #6

[alanswx]

I think the ajax request for download doesn't have a path check.

[jsooter]

Thanks for doing that @alanswx

[alanswx]

Also - in move, I didn't check the source, only the destination. You could move "/etc/passwd" into the volume probably..

[jsooter]

1. Don't run this as a privileged user and that will solve most file system security issues
2. What I didn't think of is that it could modify it's own source and that should probably be prevented. A simple function to check the path should work. It could be done before the request gets routed by Flask.

[alanswx]

I think we could put in a few more checks. I am confused about all the code paths. If we could test each of them with a bogus path that would be great. I wonder if some of this code isn't needed - since they changed the API around.

[jsooter]

When I wrote it I used the wiki as spec. It really needs to be reviewed again since the update.
https://github.com/servocoder/RichFilemanager/wiki/API#methods