[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 2 Jul 2018 18:32:54 +0100
From: Simon McVittie <smcv@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: accountsservice: insufficient path check in
user_change_icon_file_authorized_cb()
On Mon, 02 Jul 2018 at 16:10:24 +0200, Jakub Wilk wrote:
> You patch uses g_file_get_path(), which AFIACT doesn't use any filesystem
> I/O for canonicalisation, so that should be fine.
It's specifically documented not to do any blocking I/O, and might provide
syntactic canonicalisation (the documentation doesn't specifically say
either way) but does not provide filesystem-aware canonicalisation.
The documentation also specifically says that the returned path "might
contain symlinks".
It might be a good idea to double-check that the result of
g_file_get_path() starts with "/", doesn't contain "/../" and (just for
completeness) doesn't end with "/..".
smcv
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
