Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 28 May 2009 13:56:59 +0400
From:      Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To:        Mel Flynn <mel.flynn+fbsd.hackers@mailing.thruhere.net>
Cc:        freebsd-hackers@freebsd.org, Jakub Lach <jakub_lach@mailplus.pl>, Dag-Erling Sm??rgrav <des@des.no>
Subject:   Re: FYI Lighttpd 1.4.23 /kernel (trailing '/' on regular file symlink) vulnerability
Message-ID:  <SYq4sF6iy06tc2rWCFGePYRwybQ@XX1fo6zQUfC4h0jjRC6IBz3oNH4>
In-Reply-To: <200905281107.12864.mel.flynn%2Bfbsd.hackers@mailing.thruhere.net>
References:  <23727599.post@talk.nabble.com> <86prdvipwe.fsf@ds4.des.no> <86my8z8su6.fsf@ds4.des.no> <200905281107.12864.mel.flynn%2Bfbsd.hackers@mailing.thruhere.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
Mel, good day.

Thu, May 28, 2009 at 11:07:12AM +0200, Mel Flynn wrote:
> On Tuesday 26 May 2009 23:20:01 Dag-Erling Sm??rgrav wrote:
> > Dag-Erling Sm??rgrav <des@des.no> writes:
> > > Like bde@ pointed out, the patch is incorrect.  It moves the test for
> > > v_type != VDIR up to a point where, in the case of a symlink, v_type is
> > > always (by definition) VLNK.
> >
> > Hmm, actually, symlinks are resolved in namei(), not lookup().  This is
> > not going to be pretty.  I'll be back later...

> I don't pretend to comprehend the kernel side of things fully, but
> wouldn't it be easier to append a dot to all trailing slashes inside
> or before passing to namei?

A dirty hack that puts some additional burden on the namei()  ;-/

> This works in userland at present and lighttpd could use something
> similar as a work around until it's fixed:

Yes, this will work, but it is better to apply the real fix ;))  Dirty
hacks aren't good at the long timescales -- they tend to obfuscate the
code and put unneeded interprocedure constraints (you should prepend dot
to the slash if you want to call namei()/we should add dot to slash to
make our life easier/etc).
-- 
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook
    {_.-``-'         {_/            #

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?SYq4sF6iy06tc2rWCFGePYRwybQ>