mirror of
https://github.com/ostreedev/ostree.git
synced 2024-12-22 17:35:55 +03:00
2b78df25f4
I was reading about a recent security issue with both EMC and VMWare: https://arstechnica.com/information-technology/2018/01/emc-vmware-security-bugs-throw-gasoline-on-cloud-security-fire/ It's a classic path traversal problem, and that made me think more about our handling of this in libostree. Fortunately of course, not being new to this rodeo, long ago I *did* consider path traversal. Inside the pull code, we call `ot_util_filename_validate()`. Also, `fsck` does this too. I have further followups here, but let's add some test cases for this. I crafted a repository with a `../` in a dirtree object by patching libostree to inject it, and that's included as a tarball. This patch covers the two cases where we do already have checks; pulling via HTTP, and in `fsck`. Closes: #1412 Approved by: jlebon
1.2 KiB
1.2 KiB