Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 2 Jul 2018 18:32:54 +0100
From: Simon McVittie <smcv@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: accountsservice: insufficient path check in
 user_change_icon_file_authorized_cb()

On Mon, 02 Jul 2018 at 16:10:24 +0200, Jakub Wilk wrote:
> You patch uses g_file_get_path(), which AFIACT doesn't use any filesystem
> I/O for canonicalisation, so that should be fine.

It's specifically documented not to do any blocking I/O, and might provide
syntactic canonicalisation (the documentation doesn't specifically say
either way) but does not provide filesystem-aware canonicalisation.
The documentation also specifically says that the returned path "might
contain symlinks".

It might be a good idea to double-check that the result of
g_file_get_path() starts with "/", doesn't contain "/../" and (just for
completeness) doesn't end with "/..".

    smcv

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ