VDB
KO
MEDIUM 5.3

GHSA-85jm-cwp2-mvpv

CefSharp.Common: `FolderSchemeHandlerFactory` path boundary check can expose files outside the configured root folder

Details

### Summary

`FolderSchemeHandlerFactory` was intended to restrict served files to a configured `rootFolder`, but its path validation used a raw string prefix check. A request could escape to a sibling directory whose full path starts with the root folder path, allowing files outside the configured root to be served.

### Details

In affected versions, `FolderSchemeHandlerFactory` canonicalized `rootFolder`, decoded the request path, combined it with the root, and then allowed the file when:

```csharp filePath.StartsWith(rootFolder, StringComparison.OrdinalIgnoreCase) ```

This does not enforce a directory boundary. For example, `/tmp/app/www2/secret.txt` starts with `/tmp/app/www`, but `www2` is a sibling of `www`, not a child. The same issue applies on Windows, for example `C:\app\www2\secret.txt` starts with `C:\app\www`.

The affected code was reviewed at commit `b5fef3bb4bc58798c95170078c41de92cfe9066e`, assembly version `147.0.100`.

### PoC

Set `rootFolder` to a directory named `www` and create a sibling directory named `www2`:

```text <temp>/www/index.html <temp>/www2/secret.txt ```

Register `FolderSchemeHandlerFactory` for `<temp>/www`, then request:

```text https://folderschemehandlerfactory.test/..%2fwww2/secret.txt ```

The request path is URL-decoded to `../www2/secret.txt`, combined with `<temp>/www`, and canonicalized to:

```text <temp>/www2/secret.txt ```

Because `<temp>/www2/secret.txt` starts with `<temp>/www` as a string prefix, the affected check passes and `secret.txt` is served from outside `rootFolder`.

Expected vulnerable result: HTTP 200 with the contents of `<temp>/www2/secret.txt`.

Expected fixed result: 404 or equivalent not-found response because the resolved file is outside `rootFolder`.

### Impact

Applications using `FolderSchemeHandlerFactory` for a custom scheme or registered HTTP/HTTPS scheme may expose local files outside the intended served directory. This is most relevant when sensitive sibling directories share the root path prefix, such as `www`/`www2`, `public`/`public_backup`, or `static`/`static-secrets`.

An attacker must be able to cause the embedded browser to request URLs handled by the affected scheme registration.

Are you affected?

Enter the version of the package you're using.

Affected packages

NuGet / CefSharp.Common
Introduced in: 0 Fixed in: 148.0.90
Fix dotnet add package CefSharp.Common --version 148.0.90

References