Re: [Exim] create_file = belowhome: unexpected behaviour

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Harald Meland
Dátum:  
Címzett: Philip Hazel
CC: Ray Miller, exim-users
Tárgy: Re: [Exim] create_file = belowhome: unexpected behaviour
[Philip Hazel]

> Only a little while ago, On Fri, 1 Oct 1999, I wrote:
>
> > On Fri, 1 Oct 1999, Ray Miller wrote:
> >
> > > But if I specify "save /home/ray/../../tmp/foo" in the filter,
> >
> > Oh dear. I really don't have a devious enough mind! I will add a check
> > to the code to forbid .. components when that check is set. Thanks for
> > pointing out the problem.
>
> Here's a patch for Exim 3.03 that fixes this problem.


As far as I can see, a simple symlink ~/root -> / will still allow
users creating files anywhere they like (if they have write access).

To fix this, one would have to grind the destination through
realpath(3) (on systems that have such a thing) and compare the
resulting fully resolved destination with whatever restrictions there
are.
--
Harald