CVE-2026-44307

EPSS 0.29%

Mako vulnerable to path traversal via backslash URI on Windows in TemplateLookup

發布日:2026/5/6修改日:2026/5/13
也稱為:GHSA-2h4p-vjrc-8xpqCGA-5v3q-r344-q4xf

描述

## Summary On Windows, a URI using backslash traversal (e.g. `\..\..\ secret.txt`) bypasses the directory traversal check in `Template.__init__` and the `posixpath`-based normalization in `TemplateLookup.get_template()`, allowing reads of files outside the configured template directory. ## Details The root cause is a mismatch between `posixpath` (used for URI normalization in `get_template()`) and `os.path` (used for file access via `os.path.isfile()` and validation via `os.path.normpath()` in `Template.__init__`). On Windows, `os.path` is `ntpath`, which treats `\` as a path separator, while `posixpath` treats it as a literal character. The vulnerability chain: 1. `get_template()` strips only leading `/` via `re.sub(r"^\/+", "", uri)` and normalizes with `posixpath` — backslash `\` is treated as a literal character, so `\..\ secret.txt` passes through with `..` undetected. 2. `Template.__init__()` validation uses `os.path.normpath()` — on Windows this resolves `\..\ secret.txt` to `\secret.txt`, which does not start with `..`, so the `startswith("..")` check passes. 3. `os.path.isfile()` on Windows interprets `\` as a path separator, resolving the `..` traversal and finding files outside the template directory. ### Affected code - `mako/lookup.py`: `TemplateLookup.get_template()` uses `posixpath.normpath`/`posixpath.join` for path construction but `os.path.isfile()` for existence check - `mako/template.py`: `Template.__init__()` URI validation uses `os.path.normpath()` which on Windows resolves backslash traversal to a form that passes the `startswith("..")` guard ## Impact If an application passes user-controlled template names or include paths to `TemplateLookup.get_template()`, an attacker on Windows may be able to load and disclose readable files outside the configured template directory. The primary impact is local file disclosure. If the targeted file contains Mako/Python template syntax, it may also be parsed and executed as a template. ## Remediation The fix should normalize backslashes to forward slashes early in the URI processing pipeline, before any path operations, to ensure consistent behavior across platforms.

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

參考連結(6)