Date: Mon, 30 Sep 1996 15:27:12 -0700 (PDT) From: Bill Paul <wpaul> To: CVS-committers, cvs-all, cvs-usrsbin Subject: cvs commit: src/usr.sbin/ypserv yp_access.c Message-ID: <199609302227.PAA06732@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
wpaul 96/09/30 15:27:08 Modified: usr.sbin/ypserv yp_access.c Log: Close a potential security hole: if yp_access() is passed a map name, have it check to see that it doesn't contain any '/' characters. This prevents possible silliness like ypcat "../../../kernel". We already test the domain name for this in yp_validdomain(), and ypserv itself tests the map name in yp_open_db(), but it doesn't hurt to be paranoid and test for it in the generic access routine too. rpc.ypxfrd does not test the map name for slashes, but it does call yp_access() with the map name, so this removes a potential vulnerability from there. Also make the tests for IPPORT_RESERVED a little more selective: make sure it trips when map == master.passwd.*, prog == YPPROC and proc == YPPROC_XFR, and prog == YPXFRD_FREEBSD_PROG and proc == YPXFRD_GETMAP. Also use IPPORT_RESERVED instead of hard-coded value. Revision Changes Path 1.10 +15 -4 src/usr.sbin/ypserv/yp_access.c
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199609302227.PAA06732>