FYI Lighttpd 1.4.23 /kernel (trailing '/' on regular file
symlink) vulnerability
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Thu May 28 09:57:05 UTC 2009
Mel, good day.
Thu, May 28, 2009 at 11:07:12AM +0200, Mel Flynn wrote:
> On Tuesday 26 May 2009 23:20:01 Dag-Erling Sm??rgrav wrote:
> > Dag-Erling Sm??rgrav <des at des.no> writes:
> > > Like bde@ pointed out, the patch is incorrect. It moves the test for
> > > v_type != VDIR up to a point where, in the case of a symlink, v_type is
> > > always (by definition) VLNK.
> >
> > Hmm, actually, symlinks are resolved in namei(), not lookup(). This is
> > not going to be pretty. I'll be back later...
> I don't pretend to comprehend the kernel side of things fully, but
> wouldn't it be easier to append a dot to all trailing slashes inside
> or before passing to namei?
A dirty hack that puts some additional burden on the namei() ;-/
> This works in userland at present and lighttpd could use something
> similar as a work around until it's fixed:
Yes, this will work, but it is better to apply the real fix ;)) Dirty
hacks aren't good at the long timescales -- they tend to obfuscate the
code and put unneeded interprocedure constraints (you should prepend dot
to the slash if you want to call namei()/we should add dot to slash to
make our life easier/etc).
--
Eygene
_ ___ _.--. #
\`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard
/ ' ` , __.--' # to read the on-line manual
)/' _/ \ `-_, / # while single-stepping the kernel.
`-'" `"\_ ,_.-;_.-\_ ', fsc/as #
_.-'_./ {_.' ; / # -- FreeBSD Developers handbook
{_.-``-' {_/ #
More information about the freebsd-hackers
mailing list