Mako Template Library Path Traversal Vulnerability in TemplateLookup

A path traversal vulnerability has been identified in the Mako template library for Python, affecting versions through 1.3.10. The issue arises in the TemplateLookup.get_template() method, which improperly handles URIs starting with double slashes. This flaw allows arbitrary file reading, as any file accessible by the process can be retrieved and rendered as a template. The vulnerability is rooted in inconsistent implementations of slash removal, enabling exploitation by bypassing normal path checks. While this issue can be exploited at the library API level, HTTP-based attacks are less likely due to Python's BaseHTTPRequestHandler, which normalizes double-slash prefixes. However, applications using other HTTP servers that do not perform this normalization may still be vulnerable.

Impact

Exploitation of this vulnerability allows for arbitrary file read access, with any file readable by the process being returned as rendered template content. This could lead to the disclosure of sensitive information, depending on the files accessed.

Reproduction

To reproduce this vulnerability, use Mako version 1.3.10 or earlier and call the TemplateLookup.get_template() method with a URI that includes a double slash prefix followed by traversal sequences (e.g., //../../../etc/passwd). The method will strip the slashes in a way that bypasses normal path validation, allowing access to the specified file.

Remediation

Users can upgrade to Mako version 1.3.11 or later, where this vulnerability has been fixed.