Menu
▾
▴
[Flightgear-devel] Nasal security
|
From: Rebecca N. P. <reb...@zo...> - 2015-07-12 17:46:17
|
I just fixed two minor security issues in Nasal's allowed paths checker: -Passing a std::string to fgValidatePath, then passing that string (rather than the normalized path that fgValidatePath returns) to the file system, is insecure because fgValidatePath converts \ to / even when the underlying file system doesn't. (Minor problem because the only functions doing that were limited to .sav files.) -Symlinks are followed, even if they lead out of the allowed directories (https://bugs.debian.org/780867). (Minor problem because there does not appear to be a way to create such symlinks from within FlightGear, but a manually downloaded aircraft could contain them already.) The current fixes are somewhat messy, as we are in freeze and I hence prioritized low risk over neatness. In 3.7, I plan to: -Make realpath() on a nonexistent file f return SGPath(f.dir()).realpath()+"/"+f.file(), ie "realpath f would have if created now", instead of just returning f unchanged. -Use this realpath() in fgValidatePath, and get rid of the now-redundant fgNormalizePath. -Possibly make fgValidatePath only take SGPath (not std::string; SGPath converts \ to / on creation). |
