The Samba-Bugzilla – Attachment 14658 Details for
Bug 11879
escape rrsync restricted folder
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
revised patch that also abs_path checks option args
rsync2.patch (text/plain), 2.48 KB, created by
Nick Cleaton
on 2018-11-14 06:35:09 UTC
(
hide
)
Description:
revised patch that also abs_path checks option args
Filename:
MIME Type:
Creator:
Nick Cleaton
Created:
2018-11-14 06:35:09 UTC
Size:
2.48 KB
patch
obsolete
>diff --git a/support/rrsync b/support/rrsync >old mode 100644 >new mode 100755 >index 9195aa2..397b9e6 >--- a/support/rrsync >+++ b/support/rrsync >@@ -8,11 +8,13 @@ use strict; > use Socket; > use Cwd 'abs_path'; > use File::Glob ':glob'; >+use Fcntl ':flock'; > > # You may configure these values to your liking. See also the section > # of options if you want to disable any options that rsync accepts. > use constant RSYNC => '/usr/bin/rsync'; > use constant LOGFILE => 'rrsync.log'; >+use constant LOCKFILE => '.rrsync.lock'; > > my $Usage = <<EOM; > Use 'command="$0 [-ro|-wo] SUBDIR"' >@@ -54,6 +56,12 @@ our $am_sender = $command =~ /^--server\s+--sender\s/; # Restrictive on purpose! > die "$0 sending to read-only server not allowed\n" if $only eq 'r' && !$am_sender; > die "$0 reading from write-only server not allowed\n" if $only eq 'w' && $am_sender; > >+# A lock file prevents an attacker from using one rrsync instance to make >+# filesystem changes underneath another running instance, tricking it into >+# leaving the restricted dir. >+open(LOCK_FH, '>>', LOCKFILE) or die "open lockfile: $!"; >+flock LOCK_FH, ($am_sender ? LOCK_SH : LOCK_EX) or die "lock lockfile: $!"; >+ > ### START of options data produced by the cull_options script. ### > > # These options are the only options that rsync might send to the server, >@@ -216,6 +224,11 @@ die "$0: invalid rsync-command syntax or options\n" if $in_options; > > @args = ( '.' ) if !@args; > >+for (@args) { >+ die "$0: do not use .. in any path!\n" if m{(^|/)\.\.(/|$)}; >+ die "$0: arg not under subdir\n" unless abs_is_under($_, $subdir); >+} >+ > if ($write_log) { > my ($mm,$hh) = (localtime)[1,2]; > my $host = $ENV{SSH_CONNECTION} || 'unknown'; >@@ -227,7 +240,19 @@ if ($write_log) { > } > > # Note: This assumes that the rsync protocol will not be maliciously hijacked. >-exec(RSYNC, @opts, @args) or die "exec(rsync @opts @args) failed: $? $!"; >+exit system(RSYNC, @opts, '--', @args); >+ >+sub abs_is_under { >+ my ($path, $under_abspath) = @_; >+ for (;;) { >+ my $a = abs_path($path); >+ if (defined $a) { >+ return $a =~ m{^\Q$under_abspath\E(/|$)}; >+ } >+ die "abs_path failed on .: $!" if $path eq '.'; >+ $path =~ s{/[^/]*$}{} or $path = '.'; >+ } >+} > > sub check_arg > { >@@ -238,6 +263,8 @@ sub check_arg > die "Do not use .. in --$opt; anchor the path at the root of your restricted dir.\n" > if $arg =~ m{(^|/)\.\.(/|$)}; > $arg =~ s{^/}{$subdir/}; >+ die "--$opt value outside restricted dir.\n" >+ unless abs_is_under($arg, $subdir); > } > $arg; > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=14658">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 11879
:
12132
|
14648
|
14658
|
14662