Weblate Repository Boundary Check Bypass Vulnerability via Symlink Path Prefix Collision

A vulnerability exists in Weblate, a web-based localization tool, in versions prior to 5.17. The issue arises from the repository-boundary validation, which relies on string prefix checks of resolved absolute paths. The validation method is not aware of path segments and can be bypassed when an external path shares the same prefix as the repository path, such as 'repo' and 'repo_outside'. This flaw allows for prefix-based repository boundary check bypass via symlink or junctions, potentially leading to unauthorized access or manipulation of files outside the intended directory.

Impact

Exploitation of this vulnerability can lead to a bypass of repository boundary checks, allowing for the manipulation or access of files outside the designated repository directory.

Reproduction

To reproduce this vulnerability, create a symlink or junction that points to a file outside the repository directory but shares the same prefix as the repository path. When the repository boundary validation checks the resolved path, it will incorrectly allow the bypass, as the validation is not segment-aware.

Remediation

Users can upgrade to Weblate version 5.17 or later, where this vulnerability has been fixed.