Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 07 Oct 2011 15:41:23 +0100
From: John Haxby <>
Subject: Re: radvd 1.8.2 released with security fixes

On 07/10/11 14:03, Robert Święcki wrote:
> On Fri, Oct 7, 2011 at 12:35 PM, Huzaifa Sidhpurwala
> <> wrote:
>> Shouldnt this be:
>>        /* No path traversal */
>>        if (strstr(iface, "..") || strchr(iface, '/'))
>>                return -1;
> FWIW, this will reject too much;
> /path/to/sth..jpg

Indeed, since I don't believe that iface can reasonably include a "/"
its sufficient to check for that.   If not then you need to check for
"../" at the beginning of iface and "/.." anywhere else in it.   But
simply forbidding "/" should be fine.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.