Summary
File Browser's public share handlers rebase the share owner's filesystem root to the shared directory and then evaluate descendant paths against the owner's global and per-user rules using the rebased relative path instead of the original path relative to the owner's scope.
As a result, an attacker who knows a public directory share URL can access files and subdirectories that the owner explicitly blocked with rules, as long as those blocked paths are located underneath the shared directory. In the simplest case this is an unauthenticated information disclosure through GET /api/public/share/* and GET /api/public/dl/*.
Details
The public share flow first resolves the original shared path under the owner's filesystem, but then switches d.user.Fs to a new BasePathFs rooted at the shared directory. The follow-up authorization check is still performed by d.Check, which compares the request path to rule strings using prefix matching.
When the share target is a directory, the path passed to d.Check becomes relative to the shared directory, while the rules remain relative to the owner's original scope. A deny rule such as /projects/private therefore no longer matches a public share request for /private/secret.txt, even though the rebased filesystem resolves that request to the real path /projects/private/secret.txt.
Core vulnerable code path:
// http/public.go
if file.IsDir {
basePath = filepath.Clean(link.Path)
filePath = ifPath
}
d.user.Fs = afero.NewBasePathFs(d.user.Fs, basePath)
file, err = files.NewFileInfo(&files.FileOptions{
Fs: d.user.Fs,
Path: filePath,
Expand: true,
Checker: d,
})// http/data.go and rules/rules.go
func (d *data) Check(path string) bool {
allow := true
for _, rule := range d.settings.Rules {
if rule.Matches(path) {
allow = rule.Allow
}
}
for _, rule := range d.user.Rules {
if rule.Matches(path) {
allow = rule.Allow
}
}
return allow
}
func (r *Rule) Matches(path string) bool {
if path == r.Path {
return true
}
prefix := r.Path
if prefix != "/" && !strings.HasSuffix(prefix, "/") {
prefix += "/"
}
return strings.HasPrefix(path, prefix)
}The issue is reachable from the public endpoints registered in http/http.go for /api/public/share/* and /api/public/dl/*.
PoC
The attacker only needs a directory share URL. No authenticated session is required if the share is not password protected.
Reproduction flow:
- Prepare a directory owned by a normal user, for example
/projects/.
- Inside it, create a sensitive child path such as
/projects/private/secret.txt.
- Configure a deny rule for the share owner that blocks
/projects/private.
- Have the owner create a public share for
/projects/.
- Request the blocked child path through the public share endpoints.
PoC:
# owner creates a public share for /projects/
curl -s -X POST 'http://HOST/api/share/projects/' \
-H 'X-Auth: <OWNER_JWT>' \
-H 'Content-Type: application/json' \
-d '{}'The response contains a share hash such as:
{"hash":"<HASH>","path":"/projects/","userID":2,"expire":0}
The attacker can then access a rule-blocked file below the shared directory:
curl -i 'http://HOST/api/public/dl/<HASH>/private/secret.txt'
A blocked subdirectory can also be listed directly:
curl -i 'http://HOST/api/public/share/<HASH>/private/'
the server returns 200 OK and serves the file content or directory listing, even though the share owner's rules should have made that path inaccessible.
Impact
This flaw allows public share recipients to read files and browse directories that the share owner explicitly intended to block with File Browser rules. Because the vulnerable path is the public share feature, the exposure can be unauthenticated and internet-reachable whenever a share link is exposed.
In practical deployments, this can disclose secrets, configuration files, backup material, private project directories, or any other content that administrators or users attempted to hide beneath a shared parent directory using the built-in rule system.
References
hacdias Remediation developer
Summary
File Browser's public share handlers rebase the share owner's filesystem root to the shared directory and then evaluate descendant paths against the owner's global and per-user rules using the rebased relative path instead of the original path relative to the owner's scope.
As a result, an attacker who knows a public directory share URL can access files and subdirectories that the owner explicitly blocked with rules, as long as those blocked paths are located underneath the shared directory. In the simplest case this is an unauthenticated information disclosure through
GET /api/public/share/*andGET /api/public/dl/*.Details
The public share flow first resolves the original shared path under the owner's filesystem, but then switches
d.user.Fsto a newBasePathFsrooted at the shared directory. The follow-up authorization check is still performed byd.Check, which compares the request path to rule strings using prefix matching.When the share target is a directory, the path passed to
d.Checkbecomes relative to the shared directory, while the rules remain relative to the owner's original scope. A deny rule such as/projects/privatetherefore no longer matches a public share request for/private/secret.txt, even though the rebased filesystem resolves that request to the real path/projects/private/secret.txt.Core vulnerable code path:
The issue is reachable from the public endpoints registered in
http/http.gofor/api/public/share/*and/api/public/dl/*.PoC
The attacker only needs a directory share URL. No authenticated session is required if the share is not password protected.
Reproduction flow:
/projects/./projects/private/secret.txt./projects/private./projects/.PoC:
The response contains a share hash such as:
The attacker can then access a rule-blocked file below the shared directory:
curl -i 'http://HOST/api/public/dl/<HASH>/private/secret.txt'A blocked subdirectory can also be listed directly:
curl -i 'http://HOST/api/public/share/<HASH>/private/'the server returns
200 OKand serves the file content or directory listing, even though the share owner's rules should have made that path inaccessible.Impact
This flaw allows public share recipients to read files and browse directories that the share owner explicitly intended to block with File Browser rules. Because the vulnerable path is the public share feature, the exposure can be unauthenticated and internet-reachable whenever a share link is exposed.
In practical deployments, this can disclose secrets, configuration files, backup material, private project directories, or any other content that administrators or users attempted to hide beneath a shared parent directory using the built-in rule system.
References