WsgiDAV encoded dot segments can escape filesystem share roots
- When
- Where
- Global (internet)
- Category
- cyber_advisory · pip
### Impact WsgiDAV 4.3.3 can allow a WebDAV request path containing an encoded parent-directory segment to escape the configured filesystem share root in a specific path layout. ### Patches The issue is fixed with version 4.3.4. ### Preconditions The practical impact depends on the deployment. The deployment uses a filesystem-backed WsgiDAV share. The attacker can send WebDAV requests accepted by that share. This may be an anonymous share or an authenticated WebDAV user. This is not an authentication bypass. ### Details The issue is in `FilesystemProvider._loc_to_file_path()`. The method builds a candidate path with `os.path.abspath(os.path.join(root_path, *path_parts))`, then checks containment with `file_path.startswith(root_path)`. This is not path-boundary aware. For example, if the configured share root is `/tmp/share`, a resolved sibling path such as `/tmp/share_evil/secret.txt` still starts with the string `/tmp/share`. In a local proof, this allowed GET, PUT, and DELETE requests to operate on files outside the configured share root. The WSGI/server layer forwards the encoded dot segment to WsgiDAV's PATH_INFO. The local proof used `/%2e%2e/...`, which wsgiref passed through as `/../...`. A sibling or neighboring path exists whose absolute path starts with the configured root path string, such as `/tmp/share` and `/tmp/share_evil`. The WsgiDAV process has OS permissions for the outside path.
Sources
- GitHub Advisory Database ↗ · first seen 2026-06-11 20:28 UTC
Defaxon links out to the original reporting and never republishes article text.
Correlated events
Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.
No correlated events found in the current window. As more events arrive, connections form automatically.