FYI Lighttpd 1.4.23 /kernel (trailing '/' on regular file symlink) vulnerability

Eygene Ryabinkin rea-fbsd at codelabs.ru
Thu May 28 09:57:05 UTC 2009


Mel, good day.

Thu, May 28, 2009 at 11:07:12AM +0200, Mel Flynn wrote:
> On Tuesday 26 May 2009 23:20:01 Dag-Erling Sm??rgrav wrote:
> > Dag-Erling Sm??rgrav <des at des.no> writes:
> > > Like bde@ pointed out, the patch is incorrect.  It moves the test for
> > > v_type != VDIR up to a point where, in the case of a symlink, v_type is
> > > always (by definition) VLNK.
> >
> > Hmm, actually, symlinks are resolved in namei(), not lookup().  This is
> > not going to be pretty.  I'll be back later...

> I don't pretend to comprehend the kernel side of things fully, but
> wouldn't it be easier to append a dot to all trailing slashes inside
> or before passing to namei?

A dirty hack that puts some additional burden on the namei()  ;-/

> This works in userland at present and lighttpd could use something
> similar as a work around until it's fixed:

Yes, this will work, but it is better to apply the real fix ;))  Dirty
hacks aren't good at the long timescales -- they tend to obfuscate the
code and put unneeded interprocedure constraints (you should prepend dot
to the slash if you want to call namei()/we should add dot to slash to
make our life easier/etc).
-- 
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook
    {_.-``-'         {_/            #


More information about the freebsd-hackers mailing list