tftpserver.py - Directory traversal attack

[robertpenz]

Your code

 if not peer_state.filepath.startswith(self.server.root):
....
peer_state.file = open(peer_state.filepath)

Allows a directory traversal attack. Why? I'll show you in bash:

$ sudo mkdir /tftpboot
$ cat /tftpboot/../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync

run the process as root and you get the /etc/shadow as attacker.

[robertpenz]

did overlook the

        self.filepath = os.path.abspath(os.path.join(self.path, self.filename))

in starte.py. sorry