提交線圖

13 次程式碼提交

作者 SHA1 備註 日期
ac315529b3 Only allow alphanumeric and dots for entrynames 2020-09-26 18:57:18 +02:00
aaa6670eda check whether entry is file. avoids 'raou .' panic 2020-09-26 18:42:27 +02:00
9f2f0e66b2 exec: use canonicalize to check for file existance too. better error message. 2020-09-26 18:37:48 +02:00
db4d3cafbb refactor: use format! for all error strings 2020-09-15 20:48:34 +02:00
659f7bd320 getpwnam: Give precise error message if we cannot lookup the user 2020-09-14 19:45:58 +02:00
bb0b2886e9 Fix embarassing, basic path traversal attack
Fix the most embarassing kind of path traversal vulnerability
imaginable for such a tool.

You could simply run raou ../../../../tmp/evil_entry

The C version contained various check on the config dir and its
entries which would have prevented this attack. In this port,
the checking functions were deemed unnecessary, as they
did lots of redundant checks too. Unfortunately, I missed this
trivial attack when I decided not to port them.

At the plus side, I found this now myself while sleep-deprived, so
there may be some hope for me after all.

Also, you should not use some non-released software from some
guys git ;-)
2020-09-14 19:44:08 +02:00
dce3d063f7 rustfmt 2020-09-14 19:19:20 +02:00
1c03d47dac Fixed getpwnam problems related to ptr lifecycle 2020-07-09 00:14:11 +02:00
bb8de3b6c7 also set dumpable to 0, minor improvements 2019-08-22 13:08:50 +02:00
352989756c rustfmt 2018-11-02 21:48:36 +01:00
21b208bff9 error messages with more context 2018-10-27 12:50:15 +02:00
22d442b040 argv0: default to name now, not the path 2018-10-04 22:00:14 +02:00
ce0742d335 initial commit 2018-10-04 20:45:29 +02:00