Hi,

I'd like to report a problem with path validation for Windows, and propose a 
fix.

Function `verify_path` first calls `has_dos_drive_prefix` in order to prevent 
absolute drive paths like "C:\xxx". The logic for that is implemented as 
follows:

#define has_dos_drive_prefix(path) \
        (isalpha(*(path)) && (path)[1] == ':' ? 2 : 0)


The problem is that Windows will still interpret a path like this as an 
absolute drive path even if the first character isn't alpha, and so it should 
still be rejected.

In fact, it's actually possible to create drives like that which bypass this 
filter on Windows (as Administrator), even if it's not an officially supported 
feature:

>subst 1: C:\Users\x\Desktop

>dir 1:
...

 Directory of 1:\

08/06/2019  06:19 PM    <DIR>          .
08/06/2019  06:19 PM    <DIR>          ..
...


With a drive like this present, a malicious server can write to wherever that 
drive points when you perform a git clone (to test this, just create a git 
repository containing :1/file):

>git clone http://x/pathtest
Cloning into 'pathtest'...


>dir pathtest
...
 Directory of pathtest

08/08/2019  04:49 PM    <DIR>          .
08/08/2019  04:49 PM    <DIR>          ..
               0 File(s)              0 bytes


>dir C:\Users\x\Desktop
...
 Directory of C:\Users\x\Desktop

08/08/2019  04:49 PM                 9 file


If the drive doesn't exist, the clone will fail anyway:

>dir 1:
The system cannot find the path specified.

>git clone http://x/pathtest
Cloning into 'pathtest'...
fatal: cannot create directory at '1:': No such file or directory
warning: Clone succeeded, but checkout failed.
You can inspect what was checked out with 'git status'
and retry the checkout with 'git checkout -f HEAD'


So I'm proposing to remove the check for the drive letter being alpha in 
`has_dos_drive_prefix` macro:

#define has_dos_drive_prefix(path) \
        ( (path)[1] == ':' ? 2 : 0)


As well as being a security patch for RCE under very unlikely circumstance, 
this patch is also a micro performance boost!

Thanks,

Christopher Ertl | MSRC Vulnerabilities & Mitigations | Microsoft Limited 
Microsoft Limited (company number 01624297) is a company registered in England 
and Wales whose registered office is at Microsoft Campus, Thames Valley Park, 
Reading. RG6 1WG

Reply via email to