[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] #6 OS400/EBCDIC Port: Prevent OS conversion of file contents

From: Philip Martin <philip_at_codematters.co.uk>
Date: 2006-02-23 23:34:49 CET

Paul Burba <paulb@softlanding.com> writes:

> Philip Martin <philip@codematters.co.uk> wrote on 02/23/2006 04:55:52 PM:
>
>> It's probably a very small hole in practice, does OS400 use the
>> equivalent of a shared /tmp?
>
> Yes it does...you're making me nervous Philip, are you about to spring
> something terrible on us?

It's a standard symlink attack.

Subversion uses apr_temp_dir_get as a location for some temporary
files. Subversion creates temporary files using APR_CREATE|APR_EXCL
which would usually ensure that the file really is a file newly
created by the process. The OS400 code reopens such files which
allows a number of attacks, e.g. if the attacker can delete the
original file and replace it with a symlink then the process will
overwrite the symlink destination.

You might be able to add extra code to defeat such attacks, i.e. check
that the file descriptor really is a file, that the process is the
owner, that the permissions are correct, etc. although I'm not sure
whether APR provides all the interfaces you need to do all those
checks.

-- 
Philip Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Feb 23 23:35:16 2006

This is an archived mail posted to the Subversion Dev mailing list.