--- Comment #6 from Leandro Lucarella <> 2009-11-30 16:44:19 
PST ---
Created an attachment (id=520)
Proof of concept patch

Here it is a proof of concept patch to allow directories in string imports
*safely*. The check is done as I said in comment 5: -J paths are converted to
canonical names, then the string import path is appended and the resulting path
is again converted to a canonical name. Then, the canonical name is checked to
be really in the canonical path. This prevents any type of highjacking (even
with symlinks).

Here is a simple example:

import("x/../../y") in combination with -J.. (assuming /tmp/x is the current
directory) is checked like this:
1) .. is converted to realpath(..) which yields /tmp
2) the canonical path is combined with the file name: /tmp/x/../../y
3) the new filename is converted to a canonical filename: /y
4) the canonical path and the canonical name are checked: /y doesn't start with
/tmp, so the import is rejected.

Unfortunately, I'm not a windows developer, and the path is only implemented
for POSIX (and only tested in Linux, but if other *nixes don't work it should
be fairly simple to fix). Compiling in Windows yields an error for now. If
there is no way to implement this on Windows, it's fairly easy to allow this
behavior in POSIX and fallback to the old behavior in Windows. Let me know if
you want a patch for that.

I'll attach a few test cases.

Configure issuemail:
------- You are receiving this mail because: -------

Reply via email to