GHSA-wxq4-cc2q-338q
WsgiDAV encoded dot segments can escape filesystem share roots
Details
### Impact WsgiDAV 4.3.3 can allow a WebDAV request path containing an encoded parent-directory segment to escape the configured filesystem share root in a specific path layout.
### Patches The issue is fixed with version 4.3.4.
### Preconditions
The practical impact depends on the deployment.
The deployment uses a filesystem-backed WsgiDAV share.
The attacker can send WebDAV requests accepted by that share. This may be an anonymous share or an authenticated WebDAV user. This is not an authentication bypass.
### Details
The issue is in `FilesystemProvider._loc_to_file_path()`. The method builds a candidate path with `os.path.abspath(os.path.join(root_path, *path_parts))`, then checks containment with `file_path.startswith(root_path)`. This is not path-boundary aware. For example, if the configured share root is `/tmp/share`, a resolved sibling path such as `/tmp/share_evil/secret.txt` still starts with the string `/tmp/share`.
In a local proof, this allowed GET, PUT, and DELETE requests to operate on files outside the configured share root.
The WSGI/server layer forwards the encoded dot segment to WsgiDAV's PATH_INFO. The local proof used `/%2e%2e/...`, which wsgiref passed through as `/../...`.
A sibling or neighboring path exists whose absolute path starts with the configured root path string, such as `/tmp/share` and `/tmp/share_evil`.
The WsgiDAV process has OS permissions for the outside path.
Are you affected?
Enter the version of the package you're using.