Re: dezhemini (aka dʒɛmɪni) security announcement

Almaember almaember at disroot.org
Sat May 15 12:09:36 BST 2021

Previous message (by thread): dezhemini (aka dʒɛmɪni) security announcement
Next message (by thread): Re: dezhemini (aka dʒɛmɪni) security announcement
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 13/05/2021 07:46, Remco wrote:
> A couple of days ago I've found and fix a path traversal issue in the
> dezhemini (aka dʒɛmɪni) gemini server software.  A specially crafted URL
> will allow an attacker to read arbitrary files from the host file
> system.
> 
> The issue is fixed in commit 2dba1ee1c875b07ca2e04f8bf2d03bfc5b2afc5f.
> All versions prior to this commit are vulnerable to this type of
> intrusion.

Thanks for notifying everyone! This seems to be a common security issue 
with Gemini servers.

A question to everybody reading the list, how badly would it break the 
spec to simply block any request whose URLs contain ".." as a standalone 
path-element?

~almaember

Previous message (by thread): dezhemini (aka dʒɛmɪni) security announcement
Next message (by thread): Re: dezhemini (aka dʒɛmɪni) security announcement
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list