[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] #6 OS400/EBCDIC Port: Prevent OS conversion of file contents

From: Philip Martin <philip_at_codematters.co.uk>
Date: 2006-02-23 23:34:49 CET

Paul Burba <paulb@softlanding.com> writes:

> Philip Martin <philip@codematters.co.uk> wrote on 02/23/2006 04:55:52 PM:
>> It's probably a very small hole in practice, does OS400 use the
>> equivalent of a shared /tmp?
> Yes it does...you're making me nervous Philip, are you about to spring
> something terrible on us?

It's a standard symlink attack.

Subversion uses apr_temp_dir_get as a location for some temporary
files. Subversion creates temporary files using APR_CREATE|APR_EXCL
which would usually ensure that the file really is a file newly
created by the process. The OS400 code reopens such files which
allows a number of attacks, e.g. if the attacker can delete the
original file and replace it with a symlink then the process will
overwrite the symlink destination.

You might be able to add extra code to defeat such attacks, i.e. check
that the file descriptor really is a file, that the process is the
owner, that the permissions are correct, etc. although I'm not sure
whether APR provides all the interfaces you need to do all those

Philip Martin
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Feb 23 23:35:16 2006

This is an archived mail posted to the Subversion Dev mailing list.