From fe36f84d843cd755c6dab629a0758264de5bcc00 Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Sat, 25 May 2013 19:47:15 +0200 Subject: ui-summary: Disallow directory traversal Using the url= query string, it was possible request arbitrary files from the filesystem if the readme for a given page was set to a filesystem file. The following request would return my /etc/passwd file: http://git.zx2c4.com/?url=/somerepo/about/../../../../etc/passwd http://data.zx2c4.com/cgit-directory-traversal.png This fix uses realpath(3) to canonicalize all paths, and then compares the base components. This fix introduces a subtle timing attack, whereby a client can check whether or not strstr is called using timing measurements in order to determine if a given file exists on the filesystem. This fix also does not account for filesystem race conditions (TOCTOU) in resolving symlinks. Signed-off-by: Jason A. Donenfeld diff --git a/ui-summary.c b/ui-summary.c index 2f8a822..57206dd 100644 --- a/ui-summary.c +++ b/ui-summary.c @@ -99,6 +99,7 @@ void cgit_print_summary() void cgit_parse_readme(const char *readme, const char *path, char **filename, char **ref, struct cgit_repo *repo) { const char *slash, *colon; + char *resolved_base, *resolved_full; *filename = NULL; *ref = NULL; @@ -133,7 +134,19 @@ void cgit_parse_readme(const char *readme, const char *path, char **filename, ch } *filename = xmalloc(slash - readme + 1 + strlen(path) + 1); strncpy(*filename, readme, slash - readme + 1); + if (!(*ref)) + resolved_base = realpath(*filename, NULL); strcpy(*filename + (slash - readme + 1), path); + if (!(*ref)) + resolved_full = realpath(*filename, NULL); + if (!(*ref) && (!resolved_base || !resolved_full || strstr(resolved_full, resolved_base) != resolved_full)) { + free(*filename); + *filename = NULL; + } + if (!(*ref)) { + free(resolved_base); + free(resolved_full); + } } else *filename = xstrdup(readme); } @@ -143,6 +156,9 @@ void cgit_print_repo_readme(char *path) char *filename, *ref; cgit_parse_readme(ctx.repo->readme, path, &filename, &ref, ctx.repo); + if (!filename) + return; + /* Print the calculated readme, either from the git repo or from the * filesystem, while applying the about-filter. */ -- cgit v0.10.1