Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 2 Jul 2018 16:10:24 +0200
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: Re: accountsservice: insufficient path check in
 user_change_icon_file_authorized_cb()

* Matthias Gerstner <mgerstner@...e.de>, 2018-07-02, 14:21:
>I think the easiest way to fix this is to normalize the user supplied 
>filename e.g. using realpath()

Using realpath(3) for access control is almost always a mistake: this 
function expands symlinks, including attacker-controlled symlinks.

You patch uses g_file_get_path(), which AFIACT doesn't use any 
filesystem I/O for canonicalisation, so that should be fine.

-- 
Jakub Wilk

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ