Due to missing canonicalization when readDir
is called recursively, it was possible to display directory listings outside of the defined fs
scope. This required a crafted symbolic link or junction folder inside an allowed path of the fs
scope. No arbitrary file content could be leaked.
The issue has been resolved in https://github.com/tauri-apps/tauri/pull/5123 and the implementation now properly checks if the
requested (sub) directory is a symbolic link outside of the defined scope
.
Disable the readDir
endpoint in the allowlist
inside the tauri.conf.json
.
This issue was initially reported by martin-ocasek in #4882.
If you have any questions or comments about this advisory: * Open an issue in tauri * Email us at security@tauri.app