diff options
| author | Jason A. Donenfeld <Jason@zx2c4.com> | 2013-05-25 19:47:15 +0200 | 
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2013-05-25 20:33:28 +0200 | 
| commit | fe36f84d843cd755c6dab629a0758264de5bcc00 (patch) | |
| tree | fee8af2ed0f3df2fa9015453ce3e8d721df6a0cd /filters/html-converters/md2html | |
| parent | cgitrc.5: information on directory traversal and multiple readme files (diff) | |
| download | cgit-fe36f84d843cd755c6dab629a0758264de5bcc00.tar.gz cgit-fe36f84d843cd755c6dab629a0758264de5bcc00.tar.bz2 cgit-fe36f84d843cd755c6dab629a0758264de5bcc00.zip | |
ui-summary: Disallow directory traversal
Using the url= query string, it was possible request arbitrary files
from the filesystem if the readme for a given page was set to a
filesystem file. The following request would return my /etc/passwd file:
http://git.zx2c4.com/?url=/somerepo/about/../../../../etc/passwd
http://data.zx2c4.com/cgit-directory-traversal.png
This fix uses realpath(3) to canonicalize all paths, and then compares
the base components.
This fix introduces a subtle timing attack, whereby a client can check
whether or not strstr is called using timing measurements in order
to determine if a given file exists on the filesystem.
This fix also does not account for filesystem race conditions (TOCTOU)
in resolving symlinks.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'filters/html-converters/md2html')
0 files changed, 0 insertions, 0 deletions
