I have found a path traversal issue in Safari, present in iOS 14.0. When saving a web page as PDF into Files, Safari uses the page’s
<title> tag as a file name, without sanitising it first, leading to path traversal.
Steps to reproduce:
- Set up a webserver hosting this HTML file:
<title>/../../Library/Preferences/</title> <h1>Hello world!</h1>
- Open the page in Safari
Save to Files
- An extension-less file named
This file was created by the
Extras / limitations:
- If the
<title>tag ends with a
/, a file named
- If the
<title>tag doesn’t end with a
- If the file to create already exists, a
-2(incremental number) will be added to the filename, before the first dot. (example: if
/Library/Preferences/com.apple.mobilesafari.plist.pdfalready exists, pressing
Save to Fileswill create
- If a file path outside the app folder is provided, a warning in the Console from the
kernelprocess will show. e.g.:
Sandbox: MobileSafari(1756) deny(1) file-write-create /private/var/pdf.
A malicious attack could may use this vulnerability to permanently crash Safari by creating a file which Safari is unable to parse.
As far as I know Safari can’t be deleted/reinstalled, so I’m not sure how to remove these test/malicious files from Safari’s filesystem.