Closed Bug 343552 Opened 19 years ago Closed 18 years ago

Bonsai shouldn't try to look ouside of cvsroot via ../

Categories

(Webtools Graveyard :: Bonsai, defect)

x86
Linux
defect
Not set
major

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: ajschult784, Assigned: ajschult784)

Details

Attachments

(1 file, 2 obsolete files)

I saw this in my logwatch mail this morning !!!! 1 possible successful probes /bonsai/cvsblame.cgi?file=../../../../../../../../../../../etc/passwd HTTP Response 200 Further testing indicates 1. bonsai gave them an error page ("Invalid filename") 2. It was the wrong path to passwd 3. bonsai wouldn't have delivered the file it if was the right path because it didn't have ",v" on the end. 4. bonsai happily attempts to parse and deliver files (with ,v at the end) outside of /cvsroot.
further investigation reveals that ChrootFilename in globals.pl prevents anything bad from happening... I guess I'd expect that sort of check to happen before it looks for the RCS file.
Attached patch like so (obsolete) — Splinter Review
This is still not ideal. file=../some/path/../../cvsroot/somefile could be used to probe whether /some/path existed or not.
Attached patch more robust check (obsolete) — Splinter Review
This assumes nothing would hand valid URIs with ../ in them. If this might happen, canonPath could be taught to die if it tried traverse above cvsroot.
Assignee: tara → ajschult
Status: NEW → ASSIGNED
Attachment #228064 - Flags: review?(timeless)
Comment on attachment 228064 [details] [diff] [review] more robust check i think tinderbox and friends would use ../'s, certainly i would. let's do this some other way :(
Attachment #228064 - Flags: review?(timeless) → review-
Attachment #228062 - Attachment is obsolete: true
Attachment #228064 - Attachment is obsolete: true
Attachment #246702 - Flags: review?(timeless)
Comment on attachment 246702 [details] [diff] [review] don't let canonpath walk above cvsroot note that i believe bonsai now requires 5.6 (open calls?). also i'm not a fan of else after return. but this is ok otherwise :).
Attachment #246702 - Flags: review?(timeless) → review+
landed. note that the patch doesn't actually have else after return. It just looks like it because perl is strange.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Product: Webtools → Webtools Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: