shaba/ostree
1
0
Fork 0
mirror of https://github.com/ostreedev/ostree.git synced 2025-01-09 01:18:35 +03:00
Code Issues Projects Releases Wiki Activity

lib/checkout: Validate pathnames during checkout

Browse Source 
While we do protect against path traversal during pull, let's also validate
during checkout; it's a cheap operation and provides good last-mile protection.

Closes: #1412
Approved by: jlebon
This commit is contained in:
Colin Walters 2018-01-12 10:40:36 -05:00 committed by Atomic Bot
parent 2b78df25f4
commit f3ae36ff43
2 changed files with 21 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/libostree/ostree-repo-checkout.c
View File

@ -535,6 +535,10 @@ checkout_one_file_at (OstreeRepo *repo,
GCancellable *cancellable, GCancellable *cancellable,
GError **error) GError **error)
{ {
/* Validate this up front to prevent path traversal attacks */
if (!ot_util_filename_validate (destination_name, error))
return FALSE;
gboolean need_copy = TRUE; gboolean need_copy = TRUE;
gboolean is_bare_user_symlink = FALSE; gboolean is_bare_user_symlink = FALSE;
char loose_path_buf[_OSTREE_LOOSE_PATH_MAX]; char loose_path_buf[_OSTREE_LOOSE_PATH_MAX];
@ -897,6 +901,15 @@ checkout_tree_at_recurse (OstreeRepo *self,
while (g_variant_iter_loop (&viter, "(&s@ay@ay)", &dname, while (g_variant_iter_loop (&viter, "(&s@ay@ay)", &dname,
&subdirtree_csum_v, &subdirmeta_csum_v)) &subdirtree_csum_v, &subdirmeta_csum_v))
{ {
/* Validate this up front to prevent path traversal attacks. Note that
* we don't validate at the top of this function like we do for
* checkout_one_file_at() becuase I believe in some cases this function
* can be called *initially* with user-specified paths for the root
* directory.
*/
if (!ot_util_filename_validate (dname, error))
return FALSE;
const size_t origlen = selabel_path_buf ? selabel_path_buf->len : 0; const size_t origlen = selabel_path_buf ? selabel_path_buf->len : 0;
if (selabel_path_buf) if (selabel_path_buf)
{ {

11
tests/test-corruption.sh
View File

@ -19,7 +19,7 @@
set -euo pipefail set -euo pipefail
echo "1..5" echo "1..6"
. $(dirname $0)/libtest.sh . $(dirname $0)/libtest.sh
@ -79,6 +79,11 @@ if ${CMD_PREFIX} ostree --repo=ostree-path-traverse/repo fsck -q 2>err.txt; then
fatal "fsck unexpectedly succeeded" fatal "fsck unexpectedly succeeded"
fi fi
assert_file_has_content_literal err.txt '.dirtree: Invalid / in filename ../afile' assert_file_has_content_literal err.txt '.dirtree: Invalid / in filename ../afile'
echo "ok path traverse fsck"
echo "ok path traverse" cd ${test_tmpdir}
if ${CMD_PREFIX} ostree --repo=ostree-path-traverse/repo checkout pathtraverse-test pathtraverse-test 2>err.txt; then
fatal "checkout with path traversal unexpectedly succeeded"
fi
assert_file_has_content_literal err.txt 'Invalid / in filename ../afile'
echo "ok path traverse checkout"