From 4e9269a5fc1fe80a1095a92593dd85db871e1fd3 Mon Sep 17 00:00:00 2001 From: Andreas Gruenbacher Date: Mon, 19 Jan 2015 22:18:30 +0000 Subject: Make sure symlinks don't point outside working directory (CVE-2015-119) When creating symlinks from git-style patches, make sure the symlinks don't point above the current working directory. Otherwise, a subsequent patch could use the symlink to write outside the working directory. * src/pch.c (symlink_target_is_valid): New function to check for valid symlink targets. * src/util.c (move_file): Use symlink_target_is_valid() here. * tests/symlinks: Add valid and invalid symlink test cases. --- diff --git a/src/pch.c b/src/pch.c index 55e1504..f05ef83 100644 --- a/src/pch.c +++ b/src/pch.c @@ -454,6 +454,60 @@ name_is_valid (char const *name) return is_valid; } +bool +symlink_target_is_valid (char const *target, char const *to) +{ + bool is_valid; + + if (IS_ABSOLUTE_FILE_NAME (to)) + is_valid = true; + else if (IS_ABSOLUTE_FILE_NAME (target)) + is_valid = false; + else + { + unsigned int depth = 0; + char const *t; + + is_valid = true; + t = to; + while (*t) + { + while (*t && ! ISSLASH (*t)) + t++; + if (ISSLASH (*t)) + { + while (ISSLASH (*t)) + t++; + depth++; + } + } + + t = target; + while (*t) + { + if (*t == '.' && *++t == '.' && (! *++t || ISSLASH (*t))) + { + if (! depth--) + { + is_valid = false; + break; + } + } + else + { + while (*t && ! ISSLASH (*t)) + t++; + depth++; + } + while (ISSLASH (*t)) + t++; + } + } + + /* Allow any symlink target if we are in the filesystem root. */ + return is_valid || cwd_is_root (to); +} + /* Determine what kind of diff is in the remaining part of the patch file. */ static enum diff diff --git a/src/pch.h b/src/pch.h index 0c7ff62..58861b0 100644 --- a/src/pch.h +++ b/src/pch.h @@ -37,6 +37,7 @@ bool pch_write_line (lin, FILE *); bool there_is_another_patch (bool, mode_t *); char *pfetch (lin) _GL_ATTRIBUTE_PURE; char pch_char (lin) _GL_ATTRIBUTE_PURE; +bool symlink_target_is_valid (char const *, char const *); int another_hunk (enum diff, bool); int pch_says_nonexistent (bool) _GL_ATTRIBUTE_PURE; size_t pch_line_len (lin) _GL_ATTRIBUTE_PURE; diff --git a/src/util.c b/src/util.c index 66ae90f..636eded 100644 --- a/src/util.c +++ b/src/util.c @@ -466,6 +466,13 @@ move_file (char const *from, bool *from_needs_removal, read_fatal (); buffer[size] = 0; + if (! symlink_target_is_valid (buffer, to)) + { + fprintf (stderr, "symbolic link target '%s' is invalid\n", + buffer); + fatal_exit (0); + } + if (! backup) { if (unlink (to) == 0) diff --git a/tests/symlinks b/tests/symlinks index 96626b3..6211026 100644 --- a/tests/symlinks +++ b/tests/symlinks @@ -146,6 +146,59 @@ ncheck 'test ! -L symlink' # -------------------------------------------------------------- +# Patch should not create symlinks which point outside the working directory. + +cat > symlink-target.diff < bad-symlink-target1.diff < bad-symlink-target2.diff <