Date: Thu, 28 May 2009 11:07:12 +0200 From: Mel Flynn <mel.flynn+fbsd.hackers@mailing.thruhere.net> To: freebsd-hackers@freebsd.org Cc: Dag-Erling =?utf-8?q?Sm=C3=B8rgrav?= <des@des.no>, Jakub Lach <jakub_lach@mailplus.pl> Subject: Re: FYI Lighttpd 1.4.23 /kernel (trailing '/' on regular file symlink) vulnerability Message-ID: <200905281107.12864.mel.flynn%2Bfbsd.hackers@mailing.thruhere.net> In-Reply-To: <86my8z8su6.fsf@ds4.des.no> References: <23727599.post@talk.nabble.com> <86prdvipwe.fsf@ds4.des.no> <86my8z8su6.fsf@ds4.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 26 May 2009 23:20:01 Dag-Erling Sm=C3=B8rgrav wrote: > Dag-Erling Sm=C3=B8rgrav <des@des.no> writes: > > Like bde@ pointed out, the patch is incorrect. It moves the test for > > v_type !=3D VDIR up to a point where, in the case of a symlink, v_type = is > > always (by definition) VLNK. > > Hmm, actually, symlinks are resolved in namei(), not lookup(). This is > not going to be pretty. I'll be back later... I don't pretend to comprehend the kernel side of things fully, but wouldn't= it=20 be easier to append a dot to all trailing slashes inside or before passing = to=20 namei? This works in userland at present and lighttpd could use something=20 similar as a work around until it's fixed: % echo this is foo > foo % ln -fs foo bar % cat bar/ this is foo % cat bar/. cat: bar/.: Not a directory =2D-=20 Mel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200905281107.12864.mel.flynn%2Bfbsd.hackers>