The Samba-Bugzilla – Attachment 13512 Details for
Bug 12988
fake_snap.pl uses perl in an insecure way
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.6.next and 4.7
0001-tests-fake_snap-sanitize-paths-v4-6-and-v4-7.patch (text/plain), 2.44 KB, created by
David Disseldorp
on 2017-08-29 11:31:06 UTC
(
hide
)
Description:
patch for 4.6.next and 4.7
Filename:
MIME Type:
Creator:
David Disseldorp
Created:
2017-08-29 11:31:06 UTC
Size:
2.44 KB
patch
obsolete
>From 07e1bbbf14bc5dbe426822068d140d28896dc43d Mon Sep 17 00:00:00 2001 >From: David Disseldorp via samba-technical <samba-technical@lists.samba.org> >Date: Sat, 26 Aug 2017 23:40:37 +0200 >Subject: [PATCH] tests/fake_snap: sanitize paths > >Ensure fake_snap.pl can be run in taint mode (-T), by sanitizing paths >and the PATH env. This fixes the following samba3.rpc.fsrvp selftest >failures: >Insecure dependency in mkdir while running setgid at (eval 2) line 4. >snap create failed: NT_STATUS_UNSUCCESSFUL >snap create failed for shadow copy of /home/ddiss/isms/samba/st/nt4_dc/share > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=12988 > >Signed-off-by: David Disseldorp <ddiss@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> > >Autobuild-User(master): Jeremy Allison <jra@samba.org> >Autobuild-Date(master): Tue Aug 29 04:54:51 CEST 2017 on sn-devel-144 > >(cherry picked from commit f9d4158f0b002b482df0a919d4cb337cce81f9f8) >--- > source3/script/tests/fake_snap.pl | 19 ++++++++++++++++--- > 1 file changed, 16 insertions(+), 3 deletions(-) > >diff --git a/source3/script/tests/fake_snap.pl b/source3/script/tests/fake_snap.pl >index d1233f375b0..18bbcb7142e 100755 >--- a/source3/script/tests/fake_snap.pl >+++ b/source3/script/tests/fake_snap.pl >@@ -5,14 +5,25 @@ use strict; > use File::Path qw(rmtree); > use POSIX (); > >+sub _untaint_path >+{ >+ my ($path) = @_; >+ >+ if ($path =~ /^(.*)$/) { >+ return $1; >+ } >+ die "bad path"; >+} >+ > sub _create_snapshot > { >- my ($base_path) = @_; >+ my ($base_path) = _untaint_path(shift); > my $time_str = POSIX::strftime("%Y.%m.%d-%H.%M.%S" , localtime()); > my $snap_path = $base_path . "/.snapshots/\@GMT-" . $time_str; > my $ret; > >- POSIX::mkdir($base_path . "/.snapshots", 0777); >+ $ENV{'PATH'} = '/bin:/usr/bin'; # untaint PATH >+ POSIX::mkdir($base_path . "/.snapshots", 0755); > > # add trailing slash to src path to ensure that only contents is copied > $ret = system("rsync", "-a", "--exclude=.snapshots/", "${base_path}/", >@@ -28,7 +39,8 @@ sub _create_snapshot > > sub _delete_snapshot > { >- my ($base_path, $snap_path) = @_; >+ my $base_path = _untaint_path(shift); >+ my $snap_path = _untaint_path(shift); > > # we're doing a recursive delete, so do some sanity checks > if ((index($snap_path, $base_path) != 0) || (index($snap_path, ".snapshots") == -1)) { >@@ -36,6 +48,7 @@ sub _delete_snapshot > return -1; > } > >+ $ENV{'PATH'} = '/bin:/usr/bin'; # untaint PATH > rmtree($snap_path, {error => \my $err}); > if (@$err) { > for my $diag (@$err) { >-- >2.13.5 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=13512">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
jra
:
review+
Actions:
View
Attachments on
bug 12988
: 13512