From owner-freebsd-hackers@FreeBSD.ORG  Thu May 28 09:25:19 2009
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B0C671065672
	for <freebsd-hackers@freebsd.org>; Thu, 28 May 2009 09:25:19 +0000 (UTC)
	(envelope-from mel.flynn+fbsd.hackers@mailing.thruhere.net)
Received: from mailhub.rachie.is-a-geek.net (rachie.is-a-geek.net
	[66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id 662EE8FC19
	for <freebsd-hackers@freebsd.org>; Thu, 28 May 2009 09:25:19 +0000 (UTC)
	(envelope-from mel.flynn+fbsd.hackers@mailing.thruhere.net)
Received: from sarevok.dnr.servegame.org (mailhub.lan.rachie.is-a-geek.net
	[192.168.2.11])
	by mailhub.rachie.is-a-geek.net (Postfix) with ESMTP id B03337E83F;
	Thu, 28 May 2009 01:07:14 -0800 (AKDT)
From: Mel Flynn <mel.flynn+fbsd.hackers@mailing.thruhere.net>
To: freebsd-hackers@freebsd.org
Date: Thu, 28 May 2009 11:07:12 +0200
User-Agent: KMail/1.11.3 (FreeBSD/8.0-CURRENT; KDE/4.2.3; i386; ; )
References: <23727599.post@talk.nabble.com> <86prdvipwe.fsf@ds4.des.no>
	<86my8z8su6.fsf@ds4.des.no>
In-Reply-To: <86my8z8su6.fsf@ds4.des.no>
MIME-Version: 1.0
Content-Type: Text/Plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Message-Id: <200905281107.12864.mel.flynn+fbsd.hackers@mailing.thruhere.net>
Cc: Dag-Erling =?utf-8?q?Sm=C3=B8rgrav?= <des@des.no>,
	Jakub Lach <jakub_lach@mailplus.pl>
Subject: Re: FYI Lighttpd 1.4.23 /kernel (trailing '/' on regular file
	symlink) vulnerability
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2009 09:25:20 -0000

On Tuesday 26 May 2009 23:20:01 Dag-Erling Sm=C3=B8rgrav wrote:
> Dag-Erling Sm=C3=B8rgrav <des@des.no> writes:
> > Like bde@ pointed out, the patch is incorrect.  It moves the test for
> > v_type !=3D VDIR up to a point where, in the case of a symlink, v_type =
is
> > always (by definition) VLNK.
>
> Hmm, actually, symlinks are resolved in namei(), not lookup().  This is
> not going to be pretty.  I'll be back later...

I don't pretend to comprehend the kernel side of things fully, but wouldn't=
 it=20
be easier to append a dot to all trailing slashes inside or before passing =
to=20
namei? This works in userland at present and lighttpd could use something=20
similar as a work around until it's fixed:
% echo this is foo > foo

% ln -fs foo bar

% cat bar/
this is foo

% cat bar/.
cat: bar/.: Not a directory

=2D-=20
Mel