Question 1

Is there a bug in tower-http 0.2.0?

Accepted Answer

tower-http's improper validation of Windows paths could lead to directory traversal attack `tower_http::services::fs::ServeDir` didn't correctly validate Windows paths, meaning paths like `/foo/bar/c:/windows/web/screen/img101.png` would be allowed and respond with the contents of `c:/windows/web/screen/img101.png`. Thus users could potentially read files anywhere on the filesystem.

This only impacts Windows. Linux and other unix likes are not impacted by this.

See [tower-http#204] for more details.

[tower-http#204]: https://github.com/tower-rs/tower-http/pull/204
 Fixed in tower-http 0.2.1.

Question 2

Is there a bug in tower-http 0.2.0?

Accepted Answer

Improper validation of Windows paths could lead to directory traversal attack `tower_http::services::fs::ServeDir` didn't correctly validate Windows paths
meaning paths like `/foo/bar/c:/windows/web/screen/img101.png` would be allowed
and respond with the contents of `c:/windows/web/screen/img101.png`. Thus users
could potentially read files anywhere on the filesystem.

This only impacts Windows. Linux and other unix likes are not impacted by this.

See [tower-http#204] for more details.

[tower-http#204]: https://github.com/tower-rs/tower-http/pull/204 Fixed in tower-http 0.2.1.

Question 3

Is there a bug in tower-http 0.2.0?

Accepted Answer

tower-http's improper validation of Windows paths could lead to directory traversal attack `tower_http::services::fs::ServeDir` didn't correctly validate Windows paths meaning paths like `/foo/bar/c:/windows/web/screen/img101.png` would be allowed and respond with the contents of `c:/windows/web/screen/img101.png`. Thus users could potentially read files anywhere on the filesystem. This only impacts Windows. Linux and other unix likes are not impacted by this. Fixed in tower-http 0.2.1.

Severity	Affected	Fixed in	Title	Status	Source
high	0.2.0	0.2.1	tower-http's improper validation of Windows paths could lead to directory traversal attack `tower_http::services::fs::ServeDir` didn't correctly validate Windows paths, meaning paths like `/foo/bar/c:/windows/web/screen/img101.png` would be allowed and respond with the contents of `c:/windows/web/screen/img101.png`. Thus users could potentially read files anywhere on the filesystem. This only impacts Windows. Linux and other unix likes are not impacted by this. See [tower-http#204] for more details. [tower-http#204]: https://github.com/tower-rs/tower-http/pull/204	fixed	osv:GHSA-qrqq-9c63-xfrg
medium	0.2.0	0.2.1	Improper validation of Windows paths could lead to directory traversal attack `tower_http::services::fs::ServeDir` didn't correctly validate Windows paths meaning paths like `/foo/bar/c:/windows/web/screen/img101.png` would be allowed and respond with the contents of `c:/windows/web/screen/img101.png`. Thus users could potentially read files anywhere on the filesystem. This only impacts Windows. Linux and other unix likes are not impacted by this. See [tower-http#204] for more details. [tower-http#204]: https://github.com/tower-rs/tower-http/pull/204	fixed	osv:RUSTSEC-2022-0043
medium	0.2.0	0.2.1	tower-http's improper validation of Windows paths could lead to directory traversal attack `tower_http::services::fs::ServeDir` didn't correctly validate Windows paths meaning paths like `/foo/bar/c:/windows/web/screen/img101.png` would be allowed and respond with the contents of `c:/windows/web/screen/img101.png`. Thus users could potentially read files anywhere on the filesystem. This only impacts Windows. Linux and other unix likes are not impacted by this.	fixed	osv:GHSA-wwh2-r387-g5rm

tower-http known bugs