Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20180702173254.GC2555@espresso.pseudorandom.co.uk>
Date: Mon, 2 Jul 2018 18:32:54 +0100
From: Simon McVittie <smcv@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: accountsservice: insufficient path check in
 user_change_icon_file_authorized_cb()

On Mon, 02 Jul 2018 at 16:10:24 +0200, Jakub Wilk wrote:
> You patch uses g_file_get_path(), which AFIACT doesn't use any filesystem
> I/O for canonicalisation, so that should be fine.

It's specifically documented not to do any blocking I/O, and might provide
syntactic canonicalisation (the documentation doesn't specifically say
either way) but does not provide filesystem-aware canonicalisation.
The documentation also specifically says that the returned path "might
contain symlinks".

It might be a good idea to double-check that the result of
g_file_get_path() starts with "/", doesn't contain "/../" and (just for
completeness) doesn't end with "/..".

    smcv

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.