Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
Re: [suse-security] Did SuSE hack mirror?
  • From: Roman Drahtmueller <draht@xxxxxxx>
  • Date: Wed, 5 Dec 2001 09:47:15 +0100 (MET)
  • Message-id: <Pine.LNX.4.33.0112050938070.7614-100000@xxxxxxxxxxxx>
>
> I was having problems downloading files with ! and .. characters in the
> filename.
>
> I can see the potential security hazard where the resultant path might
> point to a different directory than intended but that would require the
> '..' to start the filepath or follow a '/' - the regexp below is not
> that specific. Am I missing something here or was this a lazy hack?
>
> Also, what is the potential security problem with files containing an
> exclamation mark? This question is not rhetorical - I honestly don't
> know!
>
> Finally, can't this be done in the mirror.defaults file so that it can
> be overridden on a package by package basis?
>
> Why isn't it documented in /usr/share/doc/packages/mirror? It took me
> quite a while to track this down!

Well, now that you have found out how the files get denied, no further
explanation should be necessary to it. The reason is very simple: These
characters are shell meta characters and can bring about security problems
in shell scripts that walk through a mirrored tree.

When I saw these changes two years ago, I was not very content with them
either (the security problems are in the shell scripts, not in the mirror
package, so it was the wrong place to fix). But over the time, it proved
to be quite reasonable, and I reduced my diligence to fixing the obviously
wrog "unallowed" to "illegal", see the changelog of the package.


>
> # important security check - marc@xxxxxxx
> # we don't use an allow list but an deny list because
> otherwise
> # we will get problems with umlaute and other stuff. And
> the
> # hole is very small anyway.
> if ( $src_path =~ m/[\\\n;&<>#\`!\$\*\|]/ || $src_path
> =~ m/\.\.
> /) {
> print STDERR "Error: source filename contains
> illegal ch
> aracters: \"$src_path\"\n";
> next;
> }
>
> --
> Simon Oliver
>
> --
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
>




Roman.
--
- -
| Roman Drahtm├╝ller <draht@xxxxxxx> // "You don't need eyes to see, |
SuSE GmbH - Security Phone: // you need vision!"
| N├╝rnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |
- -


< Previous Next >
Follow Ups
References