Date: Fri, 16 Dec 2016 08:33:14 +0000 (UTC) From: Ganael LAPLANCHE <martymac@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r428653 - in head/devel/simgear: . files Message-ID: <201612160833.uBG8XEBo084184@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: martymac Date: Fri Dec 16 08:33:14 2016 New Revision: 428653 URL: https://svnweb.freebsd.org/changeset/ports/428653 Log: Backport security fix a2b111b Avoids a malicious repository writing to files outside the local storage root Reported by: "Rebecca N. Palmer" <rebecca_palmer@zoho.com> Security: https://sourceforge.net/p/flightgear/simgear/ci/a2b111bb09485769d75addf563cb6e44be6655b3/ Added: head/devel/simgear/files/patch-a2b111b-simgear-io-HTTPRepository.cxx (contents, props changed) Modified: head/devel/simgear/Makefile Modified: head/devel/simgear/Makefile ============================================================================== --- head/devel/simgear/Makefile Fri Dec 16 08:33:08 2016 (r428652) +++ head/devel/simgear/Makefile Fri Dec 16 08:33:14 2016 (r428653) @@ -2,6 +2,7 @@ PORTNAME= simgear PORTVERSION= 2016.4.3 +PORTREVISION= 1 CATEGORIES= devel games MASTER_SITES= SF/flightgear/release-${PORTVERSION:R} Added: head/devel/simgear/files/patch-a2b111b-simgear-io-HTTPRepository.cxx ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/devel/simgear/files/patch-a2b111b-simgear-io-HTTPRepository.cxx Fri Dec 16 08:33:14 2016 (r428653) @@ -0,0 +1,28 @@ +commit a2b111bb09485769d75addf563cb6e44be6655b3 +Author: James Turner <zakalawe@mac.com> +Date: Wed Dec 14 09:41:44 2016 +0000 + + Bugfix: reject dubious paths in HTTP repos. + + This avoids a malicious repository writing to files outside the local + storage root. + +diff --git simgear/io/HTTPRepository.cxx simgear/io/HTTPRepository.cxx +index 1c95f278..b0335783 100644 +--- simgear/io/HTTPRepository.cxx ++++ simgear/io/HTTPRepository.cxx +@@ -503,6 +503,14 @@ private: + SG_LOG(SG_TERRASYNC, SG_WARN, "malformed .dirindex file: invalid type in line '" << line << "', expected 'd' or 'f', (ignoring line)" ); + continue; + } ++ ++ // security: prevent writing outside the repository via ../../.. filenames ++ // (valid filenames never contain / - subdirectories have their own .dirindex) ++ if ((tokens[1] == "..") || (tokens[1].find_first_of("/\\") != std::string::npos)) { ++ SG_LOG(SG_TERRASYNC, SG_WARN, "malformed .dirindex file: invalid filename in line '" << line << "', (ignoring line)" ); ++ continue; ++ } ++ + children.push_back(ChildInfo(typeData == "f" ? ChildInfo::FileType : ChildInfo::DirectoryType, tokens[1], tokens[2])); + + if (tokens.size() > 3) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201612160833.uBG8XEBo084184>