You can edit this page using wiki syntax for markup.

Article contents:[[tags: egg awful-salmonella-tar]] == awful-salmonella-tar [[toc:]] === Introduction This is an [[/egg/awful|awful]] application to extract [[/egg/salmonella|salmonella]] report files from {{tar}} archives. It requires {{tar}} (tested it with GNU tar, specifically). For compressed report tar files, {{gzip}} or {{bzip2}} are required (by default, {{gzip}} is used) To see it working, install {{awful-salmonella-tar}} with: $ chicken-install awful-salmonella-tar Then add some test data: $ mkdir -p reports/master/gcc/linux/x86-64/2018/09/02/ $ cd reports/master/gcc/linux/x86-64/2018/09/02/ $ wget https://salmonella-linux-x86-64.call-cc.org/master/gcc/linux/x86-64/2018/09/02/salmonella.log.bz2 $ bzip2 -d salmonella.log.bz2 You'll need [[/egg/salmonella-html-report|salmonella-html-report]] to generate report data out of the salmonella log file. If you don't have it installed, chicken-install [[/egg/salmonella-html-report|salmonella-html-report]] $ salmonella-html-report salmonella.log salmonella-report $ tar czf salmonella-report.tar.gz salmonella-report $ rm -rf salmonella-report $ cd - $ cat <<EOF > awful-salmonella-tar-app.scm (cond-expand (chicken-4 (use awful-salmonella-tar)) (chicken-5 (import awful-salmonella-tar)) (else (error "Unsupported CHICKEN version."))) (awful-salmonella-tar "/") EOF $ awful awful-salmonella-tar-app.scm Then request, for example http://localhost:8080/reports/master/gcc/linux/x86-64/2018/09/02/salmonella-report/ === Author [[/users/mario-domenech-goulart|Mario Domenech Goulart]] === Repository {{awful-salmonella-tar}} is maintained in a [[https://github.com/mario-goulart/awful-salmonella-tar|Github repository]]. === License Copyright (c) 2011-2020, Mario Domenech Goulart All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The name of the authors may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. === Version history ==== Version 0.0.4 (2022-02-17) Fix path traversal vulnerability This change fixes a path traversal vulnerability that would allow attackers to navigate through the filesystem of the server (provided execute access to directories for the user running the web server). Attackers could only list the contents of directories -- not download files. The vulnerability was caused by the lack of a check for the validity requested paths when handling directories, notably when {{..%2F}} ({{../}} URL-encoded) was present in requested paths. Background: awful-samonella-tar is implemented using [[/egg/awful|awful]]. Awful is implemented on top of [[/egg/spiffy|spiffy]], and overrides the {{(handle-not-found)}} parameter to map URL paths to procedures. Spiffy takes some precautions regarding dealing with malicious paths when it handles static files. Code that uses spiffy to implement generation of dynamic content (like awful does), must take their own precautions. awful-salmonella-tar uses a procedure ({{safe-path?}}) with a relatively strict policy to allow access to files, but it was not being used to validate access to directories, and that was causing the vulnerability. This change applies {{safe-path?}} to all requested paths. Thanks to Chris Brannon for responsibly reporting this issue. ==== Version 0.0.3 * Initial release as a CHICKEN egg (2020-11-07) Description of your changes:

I would like to authenticate

Spam control

What do you get when you subtract 21 from 11?