[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] Wget - acess list bypass / race condition PoC
From: |
Giuseppe Scrivano |
Subject: |
Re: [Bug-wget] Wget - acess list bypass / race condition PoC |
Date: |
Sun, 21 Aug 2016 15:26:58 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) |
Hi,
"Misra, Deapesh" <address@hidden> writes:
> Yes - I whole heartedly agree with the following:
>
>>
>> To cite myself :)
>> "But there is also non-obvious wget behavior in creating those (temp) files
>> in
>> the filesystem."
>>
>> The Wget docs just don't make clear that these files come into existence for
>> a
>> while. Of course we could amend the docs and lean back... but it still is
>> not
>> an intuitive behavior and I fear people might trap into that pit. And we
>> could
>> easily prevent it with some lines of code...
>>
>> Regards, Tim
>
> Although I am late to this thread, I would like to elucidate the basic issue
> I had with the current scenario with an analogy:
>
> If I assign a guard to a room and order the guard not to allow (say)
> people wearing yellow shirts, I intuitively expect that the people
> with yellow shirts will be prevented from entering the room and not
> that everyone will be allowed into the room and then the yellow
> shirted people will be asked to leave.
>
> When I had thought about the possible solutions, I had thought of storing the
> files in a temporary location. But you guys (developers) are on the right
> track with all your solutions and the ensuing discussion, IMHO.
If nobody is going to complain, I will push these patches shortly:
>From 1904fbfb40d817075a809124cb03640b9b7234df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <address@hidden>
Date: Sun, 14 Aug 2016 21:04:58 +0200
Subject: [PATCH 1/2] Limit file mode to u=rw on temp. downloaded files
* bootstrap.conf: Add gnulib modules fopen, open.
* src/http.c (open_output_stream): Limit file mode to u=rw
on temporary downloaded files.
Reported-by: "Misra, Deapesh" <address@hidden>
Discovered by: Dawid Golunski (http://legalhackers.com)
---
bootstrap.conf | 2 ++
src/http.c | 13 ++++++++++++-
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/bootstrap.conf b/bootstrap.conf
index 2b225b7..d9a5f90 100644
--- a/bootstrap.conf
+++ b/bootstrap.conf
@@ -40,6 +40,7 @@ dirname
fcntl
flock
fnmatch
+fopen
futimens
ftello
getaddrinfo
@@ -71,6 +72,7 @@ crypto/md5
crypto/sha1
crypto/sha256
crypto/sha512
+open
quote
quotearg
recv
diff --git a/src/http.c b/src/http.c
index 56b8669..d463f29 100644
--- a/src/http.c
+++ b/src/http.c
@@ -39,6 +39,7 @@ as that of the covered work. */
#include <errno.h>
#include <time.h>
#include <locale.h>
+#include <fcntl.h>
#include "hash.h"
#include "http.h"
@@ -2471,7 +2472,17 @@ open_output_stream (struct http_stat *hs, int count,
FILE **fp)
open_id = 22;
*fp = fopen (hs->local_file, "wb", FOPEN_OPT_ARGS);
#else /* def __VMS */
- *fp = fopen (hs->local_file, "wb");
+ if (opt.delete_after
+ || opt.spider /* opt.recursive is implicitely true */
+ || !acceptable (hs->local_file))
+ {
+ *fp = fdopen (open (hs->local_file, O_CREAT | O_TRUNC |
O_WRONLY, S_IRUSR | S_IWUSR), "wb");
+ }
+ else
+ {
+ *fp = fopen (hs->local_file, "wb");
+ }
+
#endif /* def __VMS [else] */
}
else
--
2.7.4
>From 7013f8260fc0a2b71f2414593aedb45c77972d98 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <address@hidden>
Date: Sun, 21 Aug 2016 15:21:44 +0200
Subject: [PATCH 2/2] Append .tmp to temporary files
* src/http.c (struct http_stat): Add `temporary` flag.
(check_file_output): Append .tmp to temporary files.
(open_output_stream): Refactor condition to use hs->temporary instead.
Reported-by: "Misra, Deapesh" <address@hidden>
Discovered by: Dawid Golunski (http://legalhackers.com)
---
NEWS | 6 ++++++
src/http.c | 14 +++++++++++---
2 files changed, 17 insertions(+), 3 deletions(-)
diff --git a/NEWS b/NEWS
index 5073d7e..56c21a5 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,12 @@ See the end for copying conditions.
Please send GNU Wget bug reports to <address@hidden>.
+* Changes in Wget X.Y.Z
+
+* On a recursive download, append a .tmp suffix to temporary files
+ that will be deleted after being parsed, and create them
+ readable/writable only by the owner.
+
* Changes in Wget 1.18
* By default, on server redirects to a FTP resource, use the original
diff --git a/src/http.c b/src/http.c
index d463f29..43bc2cb 100644
--- a/src/http.c
+++ b/src/http.c
@@ -1569,6 +1569,7 @@ struct http_stat
#ifdef HAVE_METALINK
metalink_t *metalink;
#endif
+ bool temporary; /* downloading a temporary file */
};
static void
@@ -2259,6 +2260,15 @@ check_file_output (struct url *u, struct http_stat *hs,
xfree (local_file);
}
+ hs->temporary = opt.delete_after || opt.spider || !acceptable
(hs->local_file);
+ if (hs->temporary)
+ {
+ char *tmp = NULL;
+ asprintf (&tmp, "%s.tmp", hs->local_file);
+ xfree (hs->local_file);
+ hs->local_file = tmp;
+ }
+
/* TODO: perform this check only once. */
if (!hs->existence_checked && file_exists_p (hs->local_file))
{
@@ -2472,9 +2482,7 @@ open_output_stream (struct http_stat *hs, int count, FILE
**fp)
open_id = 22;
*fp = fopen (hs->local_file, "wb", FOPEN_OPT_ARGS);
#else /* def __VMS */
- if (opt.delete_after
- || opt.spider /* opt.recursive is implicitely true */
- || !acceptable (hs->local_file))
+ if (hs->temporary)
{
*fp = fdopen (open (hs->local_file, O_CREAT | O_TRUNC |
O_WRONLY, S_IRUSR | S_IWUSR), "wb");
}
--
2.7.4
Regards,
Giuseppe
- Re: [Bug-wget] Wget - acess list bypass / race condition PoC, (continued)
- Re: [Bug-wget] Wget - acess list bypass / race condition PoC, Tim Rühsen, 2016/08/15
- Re: [Bug-wget] Wget - acess list bypass / race condition PoC, Ander Juaristi, 2016/08/17
- Re: [Bug-wget] Wget - acess list bypass / race condition PoC, Tim Rühsen, 2016/08/17
- Re: [Bug-wget] Wget - acess list bypass / race condition PoC, Dawid Golunski, 2016/08/17
- Re: [Bug-wget] Wget - acess list bypass / race condition PoC, Tim Rühsen, 2016/08/17
- Re: [Bug-wget] Wget - acess list bypass / race condition PoC, Dawid Golunski, 2016/08/17
- Re: [Bug-wget] Wget - acess list bypass / race condition PoC, Dawid Golunski, 2016/08/17
- Re: [Bug-wget] Wget - acess list bypass / race condition PoC, Giuseppe Scrivano, 2016/08/18
- Re: [Bug-wget] Wget - acess list bypass / race condition PoC, Tim Rühsen, 2016/08/18
- Re: [Bug-wget] Wget - acess list bypass / race condition PoC, Misra, Deapesh, 2016/08/18
- Re: [Bug-wget] Wget - acess list bypass / race condition PoC,
Giuseppe Scrivano <=
- Re: [Bug-wget] Wget - acess list bypass / race condition PoC, Eli Zaretskii, 2016/08/21
- Re: [Bug-wget] Wget - acess list bypass / race condition PoC, Giuseppe Scrivano, 2016/08/21
- Re: [Bug-wget] Wget - acess list bypass / race condition PoC, Giuseppe Scrivano, 2016/08/24
- Re: [Bug-wget] Wget - acess list bypass / race condition PoC, Kurt Seifried, 2016/08/21