[exim-cvs] Refuse to open a msglog file with .. in the path.

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
 
 
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] Refuse to open a msglog file with .. in the path.
Gitweb: https://git.exim.org/exim.git/commitdiff/8f84b06a462cb02821c09aeeb8ca77f1bbdc00cb
Commit:     8f84b06a462cb02821c09aeeb8ca77f1bbdc00cb
Parent:     b09c17939112f84e689a9c1343f00ca84610325d
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Tue Sep 10 12:29:12 2019 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Tue Sep 10 12:33:28 2019 +0100


    Refuse to open a msglog file with .. in the path.


    Recent exploits have use this as a step for overwriting system files,
    and msglog file should always be under the spooldir, so add this as
    a defence-in-depth tactic
---
 src/src/deliver.c | 4 ++++
 1 file changed, 4 insertions(+)


diff --git a/src/src/deliver.c b/src/src/deliver.c
index 59fbeea..72751c2 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -328,6 +328,10 @@ Returns:    a file descriptor, or -1 (with errno set)
 static int
 open_msglog_file(uschar *filename, int mode, uschar **error)
 {
+if (Ustrstr(filename, US"/../"))
+  log_write(0, LOG_MAIN|LOG_PANIC,
+    "Attempt to open msglog file path with upward-traversal: '%s'\n", filename);
+
 for (int i = 2; i > 0; i--)
   {
   int fd = Uopen(filename,


This message was posted to the following mailing lists:
exim-cvs
Mailing List Info | Nearby Messages		<-[exim-cvs] tidying[exim-cvs] Doc: Typos->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)