Dear users of Akka HTTP and Spray,
We have just released akka-http 2.4.11 and spray 1.3.4 with a critical security update for users running akka-http servers on Windows. We were notified (akka/akka-http#346) that on Windows akka-http’s `getFromDirectory`, `getFromBrowseableDirectory`, `getFromBrowseableDirectories`, and `listDirectoryContents` directives unintentionally allow access to directories and files outside of the specified directory. All directories and files on the same drive as the specified directory for which the server process has sufficient permissions may be downloaded or browsed. This can be easily exploited by using a specially crafted URI. For example, such specially crafted request http://localhost:8080/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows/win.ini when handles by one of the affected directives, could expose your win.ini (and potentially any other file) to the attacker.
Please update to the latest version of akka-http as soon as possible.
akka-http-experimental prior to 2.4.11
spray-routing and spray-routing-shapeless2 prior to 1.3.4
Following best security practices it is furthermore recommended to run the web server process with user credentials with as few permissions as possible to prevent unintended file access. Furthermore, we suggest using Linux servers and/or containers for hosting Akka HTTP applications, as these OSes receive more scrutiny than any other OS just because of the overwhelming number of installations running on Linux.
Please note that we have also updated Spray 1.3, even though it is slowly reaching it’s end of life, and will be deprecated with the upcoming (very soon) stable release of Akka HTTP. Please update to the latest version of Spray if you are using it, and be prepared to move onwards to Akka HTTP soon.
Many thanks go to @roikonen for reporting the problem, @2beaucoup for providing a fix and @rbudzko and @jypma for providing advice for fixing the problem.