Date: Mon, 2 Jul 2018 18:32:54 +0100 From: Simon McVittie <smcv@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: accountsservice: insufficient path check in user_change_icon_file_authorized_cb() On Mon, 02 Jul 2018 at 16:10:24 +0200, Jakub Wilk wrote: > You patch uses g_file_get_path(), which AFIACT doesn't use any filesystem > I/O for canonicalisation, so that should be fine. It's specifically documented not to do any blocking I/O, and might provide syntactic canonicalisation (the documentation doesn't specifically say either way) but does not provide filesystem-aware canonicalisation. The documentation also specifically says that the returned path "might contain symlinks". It might be a good idea to double-check that the result of g_file_get_path() starts with "/", doesn't contain "/../" and (just for completeness) doesn't end with "/..". smcv
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ