Mako Template Library Path Traversal Vulnerability on Windows

A path traversal vulnerability has been identified in the Mako template library for Python, affecting versions prior to 1.3.12. On Windows systems, URIs containing backslash traversal (such as '\..\secret.txt') can bypass directory traversal checks and the normalization process based on posixpath. This flaw allows unauthorized access to files outside the designated template directory. The issue arises because posixpath treats backslashes as literal characters, while Windows file handling interprets them as path separators, creating a loophole that can be exploited to read sensitive files.

Impact

Exploitation of this vulnerability could lead to unauthorized disclosure of files located outside the configured template directory. If the accessed files contain Mako or Python template syntax, there is a risk that they could be executed as templates, potentially leading to further security issues.

Reproduction

The vulnerability can be reproduced by using a Mako template lookup that includes a URI with backslash traversal. This can be done by creating a template directory and a file containing sensitive information, such as a text file with a secret key. Then, attempt to access the file using a backslash traversal URI, which will bypass the normal directory traversal checks and file access validations.

Remediation

Users can update to Mako version 1.3.12, which addresses the vulnerability by normalizing backslashes to forward slashes before any path operations, ensuring consistent behavior across different operating systems.