FYI Lighttpd 1.4.23 /kernel (trailing '/' on regular file
symlink) vulnerability
Mel Flynn
mel.flynn+fbsd.hackers at mailing.thruhere.net
Thu May 28 09:25:20 UTC 2009
On Tuesday 26 May 2009 23:20:01 Dag-Erling Smørgrav wrote:
> Dag-Erling Smørgrav <des at des.no> writes:
> > Like bde@ pointed out, the patch is incorrect. It moves the test for
> > v_type != VDIR up to a point where, in the case of a symlink, v_type is
> > always (by definition) VLNK.
>
> Hmm, actually, symlinks are resolved in namei(), not lookup(). This is
> not going to be pretty. I'll be back later...
I don't pretend to comprehend the kernel side of things fully, but wouldn't it
be easier to append a dot to all trailing slashes inside or before passing to
namei? This works in userland at present and lighttpd could use something
similar as a work around until it's fixed:
% echo this is foo > foo
% ln -fs foo bar
% cat bar/
this is foo
% cat bar/.
cat: bar/.: Not a directory
--
Mel
More information about the freebsd-hackers
mailing list