From owner-freebsd-current@FreeBSD.ORG Fri Dec 30 04:04:31 2005 Return-Path: X-Original-To: freebsd-current@FreeBSD.ORG Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F8E616A41F for ; Fri, 30 Dec 2005 04:04:31 +0000 (GMT) (envelope-from sobomax@portaone.com) Received: from bugor.portaone.com (bugor.portaone.com [65.61.200.232]) by mx1.FreeBSD.org (Postfix) with ESMTP id 31B5843D5D for ; Fri, 30 Dec 2005 04:04:30 +0000 (GMT) (envelope-from sobomax@portaone.com) Received: from [192.168.1.2] (S0106000f3d63befd.vs.shawcable.net [70.71.19.119]) (authenticated bits=0) by bugor.portaone.com (8.13.4/8.13.4) with ESMTP id jBU44Go6078722 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 30 Dec 2005 04:04:17 GMT (envelope-from sobomax@portaone.com) Message-ID: <43B4B1C0.20408@portaone.com> Date: Thu, 29 Dec 2005 20:04:16 -0800 From: Maxim Sobolev Organization: Porta Software Ltd User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: Sean Bryant References: <20051229193328.A13367@cons.org><20051230021602.GA9026@pit.databus.com><43B498DF.4050204@cyberwang.net><43B49B22.7040307@gmail.com><023f01c60cee$668f60a0$1200a8c0@gsicomp.on.ca> <20051229221459.A17102@cons.org> <030d01c60cf1$db80a290$1200a8c0@gsicomp.on.ca> <43B4AB57.3050406@cyberwang.net> In-Reply-To: <43B4AB57.3050406@cyberwang.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Scanned: ClamAV 0.87.1/1219/Wed Dec 28 22:57:59 2005 on bugor.portaone.com X-Virus-Status: Clean X-Spam-Status: No, score=0.9 required=5.0 tests=AWL,BAYES_00, RCVD_IN_SORBS_DUL,SPF_SOFTFAIL,SUBJ_HAS_UNIQ_ID autolearn=no version=3.1.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on bugor.portaone.com Cc: Barney Wolff , Martin Cracauer , freebsd-current@FreeBSD.ORG, Matt Emmerton Subject: Re: fetch extension - use local filename from content-dispositionheader X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Maxim.Sobolev@portaone.com List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Dec 2005 04:04:31 -0000 I doubt that forbidding / is helpful, since attacker can put excessive amount of ../ to reach / in most cases anyway: sobomax@notebook$ pwd /home/sobomax sobomax@notebook$ ls -l ../../../../../../../../sbin/init -r-x------ 1 root wheel 491364 21 ноя 14:48 ../../../../../../../../sbin/init* I think that more sensible policy would be allowing saving target file into the current directory or any subdirectory below it, disallowing writing files into any upper-level directories. This should be quite easy to do using realpath(3). sobomax@notebook$ realpath ././.././../.././../../../../../sbin/init /sbin/init -Maxim Sean Bryant wrote: > Matt Emmerton wrote: > >>> Matt Emmerton wrote on Thu, Dec 29, 2005 at 10:09:03PM -0500: >>> >>>>> Sean Bryant wrote: >>>>> >>>>>> Barney Wolff wrote: >>>>>> >>>>>> >>>>>>> On Thu, Dec 29, 2005 at 07:33:38PM -0500, Martin Cracauer wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>>> I'm a bit rusty, so please point me to style mistakes in the >>>>>>>> >> appended >> >> >>>>>>>> diff. >>>>>>>> The following diff implements a "-O" option to fetch(1), which, >>>>>>>> >> when >> >> >>>>>>>> set, will make fetch use a local filename supplied by the server >>>>>>>> >> in a >> >> >>>>>>>> Content-Disposition header. >>>>>>>> >>>>>>>> >>>>>>> Have you considered the security implications of this option? >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> Its just an extra option. I'm sure the details could be summed up in >>>>>> >> the >> >> >>>>>> man page. >>>>>> >>>>> I think what Barney means is that if you run fetch(1) as root and the >>>>> server returns the filename as "/sbin/init" bad things will happen. >>>>> The data returned in Content-Disposition should be used with caution. >>>>> >>>> Would checking to see if the target file exists, and if so, abort the >>>> operation and display a warning be sufficient to address the security >>>> issues? Of course, we'd need some kind of "force" option to override >>>> >> this >> >> >>>> for the foot-shooting folks, and -f is already taken, but that could >>>> >> easily >> >> >>>> be documented as a "limitation" of this option. >>>> >>> I don't like it since it derives too much from standard behavior which >>> is to use a local name derived from the URL, even if it exists. >>> >>> Also, not overwriting files doesn't cut it for security, you could >>> e.g. create a nonexisting .rhosts or .ssh/authorized_keys or play >>> similar games. >>> >>> Forbidding "/" will set the security to the same level as the base >>> functionality. I like that. >>> >> >> Agreed, although it still leaves open all the security loopholes that >> were >> mentioned, given the proper cwd and malicious intent on the server end. >> >> -- >> Matt Emmerton >> >> _______________________________________________ >> freebsd-current@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-current >> To unsubscribe, send any mail to >> "freebsd-current-unsubscribe@freebsd.org" >> >> > Well the programmer can only do so much, after that its up to the user. > Sanitize the filename before writing it. just escape troublesome > characters. > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" >