ui-summary: Disallow directory traversal
Using the url= query string, it was possible request arbitrary files from the filesystem if the readme for a given page was set to a filesystem file. The following request would return my /etc/passwd file: http://git.zx2c4.com/?url=/somerepo/about/../../../../etc/passwd http://data.zx2c4.com/cgit-directory-traversal.png This fix uses realpath(3) to canonicalize all paths, and then compares the base components. This fix introduces a subtle timing attack, whereby a client can check whether or not strstr is called using timing measurements in order to determine if a given file exists on the filesystem. This fix also does not account for filesystem race conditions (TOCTOU) in resolving symlinks. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This commit is contained in:
parent
2a1ead3efb
commit
fe36f84d84
16
ui-summary.c
16
ui-summary.c
@ -99,6 +99,7 @@ void cgit_print_summary()
|
|||||||
void cgit_parse_readme(const char *readme, const char *path, char **filename, char **ref, struct cgit_repo *repo)
|
void cgit_parse_readme(const char *readme, const char *path, char **filename, char **ref, struct cgit_repo *repo)
|
||||||
{
|
{
|
||||||
const char *slash, *colon;
|
const char *slash, *colon;
|
||||||
|
char *resolved_base, *resolved_full;
|
||||||
|
|
||||||
*filename = NULL;
|
*filename = NULL;
|
||||||
*ref = NULL;
|
*ref = NULL;
|
||||||
@ -133,7 +134,19 @@ void cgit_parse_readme(const char *readme, const char *path, char **filename, ch
|
|||||||
}
|
}
|
||||||
*filename = xmalloc(slash - readme + 1 + strlen(path) + 1);
|
*filename = xmalloc(slash - readme + 1 + strlen(path) + 1);
|
||||||
strncpy(*filename, readme, slash - readme + 1);
|
strncpy(*filename, readme, slash - readme + 1);
|
||||||
|
if (!(*ref))
|
||||||
|
resolved_base = realpath(*filename, NULL);
|
||||||
strcpy(*filename + (slash - readme + 1), path);
|
strcpy(*filename + (slash - readme + 1), path);
|
||||||
|
if (!(*ref))
|
||||||
|
resolved_full = realpath(*filename, NULL);
|
||||||
|
if (!(*ref) && (!resolved_base || !resolved_full || strstr(resolved_full, resolved_base) != resolved_full)) {
|
||||||
|
free(*filename);
|
||||||
|
*filename = NULL;
|
||||||
|
}
|
||||||
|
if (!(*ref)) {
|
||||||
|
free(resolved_base);
|
||||||
|
free(resolved_full);
|
||||||
|
}
|
||||||
} else
|
} else
|
||||||
*filename = xstrdup(readme);
|
*filename = xstrdup(readme);
|
||||||
}
|
}
|
||||||
@ -143,6 +156,9 @@ void cgit_print_repo_readme(char *path)
|
|||||||
char *filename, *ref;
|
char *filename, *ref;
|
||||||
cgit_parse_readme(ctx.repo->readme, path, &filename, &ref, ctx.repo);
|
cgit_parse_readme(ctx.repo->readme, path, &filename, &ref, ctx.repo);
|
||||||
|
|
||||||
|
if (!filename)
|
||||||
|
return;
|
||||||
|
|
||||||
/* Print the calculated readme, either from the git repo or from the
|
/* Print the calculated readme, either from the git repo or from the
|
||||||
* filesystem, while applying the about-filter.
|
* filesystem, while applying the about-filter.
|
||||||
*/
|
*/
|
||||||
|
Loading…
Reference in New Issue
Block a user