Date: Mon, 2 Jul 2018 16:10:24 +0200 From: Jakub Wilk <jwilk@...lk.net> To: oss-security@...ts.openwall.com Subject: Re: accountsservice: insufficient path check in user_change_icon_file_authorized_cb() * Matthias Gerstner <mgerstner@...e.de>, 2018-07-02, 14:21: >I think the easiest way to fix this is to normalize the user supplied >filename e.g. using realpath() Using realpath(3) for access control is almost always a mistake: this function expands symlinks, including attacker-controlled symlinks. You patch uses g_file_get_path(), which AFIACT doesn't use any filesystem I/O for canonicalisation, so that should be fine. -- Jakub Wilk
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ