Mailinglist Archive: opensuse-security (465 mails)
| < Previous | Next > |
Re: [suse-security] Did SuSE hack mirror?
- From: Simon Oliver <simon.oliver@xxxxxxxxxxx>
- Date: Wed, 05 Dec 2001 11:25:30 +0000
- Message-id: <3C0E042A.C338791A@xxxxxxxxxxx>
Roman Drahtmueller wrote:
> Well, now that you have found out how the files get denied, no further
> explanation should be necessary to it. The reason is very simple: These
> characters are shell meta characters and can bring about security problems
> in shell scripts that walk through a mirrored tree.
Patient: I've got a sore finger doctor.
Doctor: I'll amputate your arm.
> When I saw these changes two years ago, I was not very content with them
> either (the security problems are in the shell scripts, not in the mirror
> package, so it was the wrong place to fix). But over the time, it proved
> to be quite reasonable, and I reduced my diligence to fixing the obviously
> wrog "unallowed" to "illegal", see the changelog of the package.
It all depeneds what you want to use mirror for I suppose. If the
problem is not with mirror then it shouldn't be fixed there - and at the
least there should be an override or a more strenuous test - again
wouldn't mirror.defaults be a better place for this: exclude_patt?
The /\.\./ match picks up any .. but that is not necessary (unless I am
mistaken, which is quite probable :-). This could easily be fixed with
a tighter expression such as m{(^\.\.)|(/\.\.)}.
> see the changelog of the package.
Where would that be? I looked in '/usr/share/doc/packages/mirror' and
could only find 'CHANGES-since-2.8.txt' and this doesn't mention this
hack. I'm obviously looking in the wrong place.
--
Simon Oiver
> Well, now that you have found out how the files get denied, no further
> explanation should be necessary to it. The reason is very simple: These
> characters are shell meta characters and can bring about security problems
> in shell scripts that walk through a mirrored tree.
Patient: I've got a sore finger doctor.
Doctor: I'll amputate your arm.
> When I saw these changes two years ago, I was not very content with them
> either (the security problems are in the shell scripts, not in the mirror
> package, so it was the wrong place to fix). But over the time, it proved
> to be quite reasonable, and I reduced my diligence to fixing the obviously
> wrog "unallowed" to "illegal", see the changelog of the package.
It all depeneds what you want to use mirror for I suppose. If the
problem is not with mirror then it shouldn't be fixed there - and at the
least there should be an override or a more strenuous test - again
wouldn't mirror.defaults be a better place for this: exclude_patt?
The /\.\./ match picks up any .. but that is not necessary (unless I am
mistaken, which is quite probable :-). This could easily be fixed with
a tighter expression such as m{(^\.\.)|(/\.\.)}.
> see the changelog of the package.
Where would that be? I looked in '/usr/share/doc/packages/mirror' and
could only find 'CHANGES-since-2.8.txt' and this doesn't mention this
hack. I'm obviously looking in the wrong place.
--
Simon Oiver
| < Previous | Next > |