diff options
| author | Ravishankar N <ravishankar@redhat.com> | 2018-11-01 21:31:41 +0530 |
|---|---|---|
| committer | Pranith Kumar Karampuri <pkarampu@redhat.com> | 2018-11-05 10:51:03 +0000 |
| commit | bd1a8fc74ac9322384daab94bf5736cae15ecbfe (patch) | |
| tree | 79bd59408d57cbe723f09992fecfa964f3220a50 /xlators/features/index | |
| parent | 643c9d049de970d27b2bfa806c4d47ea6eabefe6 (diff) | |
| download | glusterfs-bd1a8fc74ac9322384daab94bf5736cae15ecbfe.tar.gz glusterfs-bd1a8fc74ac9322384daab94bf5736cae15ecbfe.tar.xz glusterfs-bd1a8fc74ac9322384daab94bf5736cae15ecbfe.zip | |
index: prevent arbitrary file creation outside entry-changes folder
Problem:
A compromised client can set arbitrary values for the GF_XATTROP_ENTRY_IN_KEY
and GF_XATTROP_ENTRY_OUT_KEY during xattrop fop. These values are
consumed by index as a filename to be created/deleted according to the key.
Thus it is possible to create/delete random files even outside the gluster
volume boundary.
Fix:
Index expects the filename to be a basename, i.e. it must not contain any
pathname components like "/" or "../". Enforce this.
Fixes: CVE-2018-14654
Fixes: bz#1644760
Change-Id: I35f2a39257b5917d17283d0a4f575b92f783f143
Signed-off-by: Ravishankar N <ravishankar@redhat.com>
Diffstat (limited to 'xlators/features/index')
| -rw-r--r-- | xlators/features/index/src/index.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/xlators/features/index/src/index.c b/xlators/features/index/src/index.c index 98dba95aba..c487e8a572 100644 --- a/xlators/features/index/src/index.c +++ b/xlators/features/index/src/index.c @@ -849,6 +849,14 @@ index_entry_create(xlator_t *this, inode_t *inode, char *filename) ctx->state[ENTRY_CHANGES] = IN; } + if (strchr(filename, '/')) { + gf_msg(this->name, GF_LOG_ERROR, EINVAL, INDEX_MSG_INDEX_ADD_FAILED, + "Got invalid entry (%s) for pargfid path (%s)", filename, + pgfid_path); + op_errno = EINVAL; + goto out; + } + len = snprintf(entry_path, sizeof(entry_path), "%s/%s", pgfid_path, filename); if ((len < 0) || (len >= sizeof(entry_path))) { @@ -883,6 +891,15 @@ index_entry_delete(xlator_t *this, uuid_t pgfid, char *filename) make_gfid_path(priv->index_basepath, ENTRY_CHANGES_SUBDIR, pgfid, pgfid_path, sizeof(pgfid_path)); + + if (strchr(filename, '/')) { + gf_msg(this->name, GF_LOG_ERROR, EINVAL, INDEX_MSG_INDEX_DEL_FAILED, + "Got invalid entry (%s) for pargfid path (%s)", filename, + pgfid_path); + op_errno = EINVAL; + goto out; + } + len = snprintf(entry_path, sizeof(entry_path), "%s/%s", pgfid_path, filename); if ((len < 0) || (len >= sizeof(entry_path))) { |