fixed: security vulnerability in 'ln' winix function
a user could create a hardlink to any file and the new link had user_id, group_id and permissions the same as for new generated files, this allowes to overwrite any existing file in the filesystem, now user_id, group_id, permissions are the same as from the oryginal file git-svn-id: svn://ttmath.org/publicrep/winix/trunk@941 e52654a7-88a9-db11-a3e9-0013d4bc506e
This commit is contained in:
parent
375604edd6
commit
c04874397b
|
@ -517,7 +517,11 @@ void Dirs::CopyDirTab(const std::vector<Item*> & in, std::vector<Item*> & out)
|
|||
|
||||
|
||||
|
||||
|
||||
/*
|
||||
!! IMPROVE ME
|
||||
may dir_tab can be empty when link_to is not relative?
|
||||
and now the algorith doesn't check if link_to is not relative (it only uses dir_tab)
|
||||
*/
|
||||
bool Dirs::AnalyzeDir(std::vector<Item*> & dir_tab, const std::wstring & link_to, size_t & i)
|
||||
{
|
||||
size_t old_i;
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
* This file is a part of Winix
|
||||
* and is not publicly distributed
|
||||
*
|
||||
* Copyright (c) 2008-2012, Tomasz Sowa
|
||||
* Copyright (c) 2008-2013, Tomasz Sowa
|
||||
* All rights reserved.
|
||||
*
|
||||
*/
|
||||
|
@ -76,7 +76,7 @@ struct Item
|
|||
|
||||
// used when type is symlink or to a directory too (function 'default')
|
||||
std::wstring link_to;
|
||||
int link_redirect;
|
||||
int link_redirect; // !! IMPROVE ME should it be 'bool'?
|
||||
|
||||
|
||||
// static file (if exists)
|
||||
|
|
|
@ -1207,6 +1207,8 @@ int System::FollowAllLinks(const std::vector<Item*> & current_dir_tab, const std
|
|||
}
|
||||
else
|
||||
{
|
||||
// !! CHECK ME
|
||||
// FollowLink is using link_to_temp temporary variable too
|
||||
res = FollowLink(current_dir_tab, link_to_temp, out_dir_tab, out_item);
|
||||
link_to_temp.clear();
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
* This file is a part of Winix
|
||||
* and is not publicly distributed
|
||||
*
|
||||
* Copyright (c) 2010-2012, Tomasz Sowa
|
||||
* Copyright (c) 2010-2013, Tomasz Sowa
|
||||
* All rights reserved.
|
||||
*
|
||||
*/
|
||||
|
@ -29,58 +29,89 @@ bool Ln::HasAccess()
|
|||
}
|
||||
|
||||
|
||||
void Ln::CreateSymbolicLink(const std::wstring & link_to)
|
||||
|
||||
bool Ln::CreateSymbolicLink(long parent_id, const wchar_t * link_to, const wchar_t * url, bool link_redirect)
|
||||
{
|
||||
item.Clear(); // setting the date to now
|
||||
item.type = Item::symlink;
|
||||
item.parent_id = cur->request->dir_tab.back()->id;
|
||||
item.url = cur->request->PostVar(L"url");
|
||||
item.parent_id = parent_id;
|
||||
item.url = url;
|
||||
item.link_to = link_to;
|
||||
item.link_redirect = cur->request->IsPostVar(L"makeredirect") ? 1 : 0;
|
||||
item.link_redirect = static_cast<int>(link_redirect);
|
||||
item.privileges = system->NewFilePrivileges();
|
||||
functions->SetUser(item);
|
||||
functions->PrepareUrl(item);
|
||||
|
||||
cur->request->status = db->AddItem(item);
|
||||
|
||||
if( cur->request->status == WINIX_ERR_OK )
|
||||
log << log3 << "Ln: created a symbolic link to: " << link_to << logend;
|
||||
return db->AddItem(item) == WINIX_ERR_OK;
|
||||
}
|
||||
|
||||
|
||||
void Ln::CreateHardLink(const std::wstring & link_to)
|
||||
bool Ln::CreateSymbolicLink(long parent_id, const std::wstring & link_to, const std::wstring & url, bool link_redirect)
|
||||
{
|
||||
int res = system->FollowAllLinks(cur->request->dir_tab, link_to, dir_tab, item, false, false);
|
||||
return CreateSymbolicLink(parent_id, link_to.c_str(), url.c_str(), link_redirect);
|
||||
}
|
||||
|
||||
|
||||
void Ln::CreateSymbolicLink(const std::wstring & link_to)
|
||||
{
|
||||
long parent_id = cur->request->dir_tab.back()->id;
|
||||
const std::wstring & url = cur->request->PostVar(L"url");
|
||||
bool link_redirect = cur->request->IsPostVar(L"makeredirect") ? 1 : 0;
|
||||
|
||||
if( CreateSymbolicLink(parent_id, link_to, url, link_redirect) )
|
||||
log << log3 << "Ln: created a symbolic link to: " << link_to << logend;
|
||||
else
|
||||
cur->request->status = WINIX_ERR_PERMISSION_DENIED;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
!! IMPROVE ME
|
||||
we need a better public interface
|
||||
instead of std::vector<Item*> may std::wstring for path?
|
||||
|
||||
dirs - directory from we start looking for a destination file
|
||||
link_to - destination file (name or path - relative or not)
|
||||
url - suggested url name of the link
|
||||
*/
|
||||
bool Ln::CreateHardLink(const std::vector<Item*> & dirs, const std::wstring & link_to, const std::wstring & url)
|
||||
{
|
||||
if( dirs.empty() )
|
||||
return false;
|
||||
|
||||
int res = system->FollowAllLinks(dirs, link_to, dir_tab, item, false, false);
|
||||
|
||||
if( res == 0 )
|
||||
{
|
||||
log << log2 << "Ln: " << link_to << " is a directory (can't create a hard link)" << logend;
|
||||
cur->request->status = WINIX_ERR_PERMISSION_DENIED;
|
||||
return false;
|
||||
}
|
||||
else
|
||||
if( res == 1 )
|
||||
{
|
||||
item.SetDateToNow();
|
||||
item.type = Item::file;
|
||||
item.parent_id = cur->request->dir_tab.back()->id;
|
||||
item.url = cur->request->PostVar(L"url");
|
||||
item.privileges = system->NewFilePrivileges();
|
||||
functions->SetUser(item);
|
||||
item.parent_id = dirs.back()->id;
|
||||
item.url = url;
|
||||
functions->PrepareUrl(item);
|
||||
cur->request->status = db->AddHardLink(item);
|
||||
|
||||
if( cur->request->status == WINIX_ERR_OK )
|
||||
log << log3 << "Ln: created a hard link to: " << link_to << logend;
|
||||
return db->AddHardLink(item) == WINIX_ERR_OK;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
void Ln::CreateHardLink(const std::wstring & link_to)
|
||||
{
|
||||
const std::vector<Item*> & dirs = cur->request->dir_tab;
|
||||
const std::wstring & url = cur->request->PostVar(L"url");
|
||||
|
||||
if( CreateHardLink(dirs, link_to, url) )
|
||||
log << log3 << "Ln: created a hard link to: " << link_to << logend;
|
||||
else
|
||||
if( res == 5 || res == 6 )
|
||||
{
|
||||
cur->request->status = WINIX_ERR_PERMISSION_DENIED;
|
||||
}
|
||||
else
|
||||
{
|
||||
cur->request->status = WINIX_ERR_NO_ITEM;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
* This file is a part of Winix
|
||||
* and is not publicly distributed
|
||||
*
|
||||
* Copyright (c) 2010, Tomasz Sowa
|
||||
* Copyright (c) 2010-2013, Tomasz Sowa
|
||||
* All rights reserved.
|
||||
*
|
||||
*/
|
||||
|
@ -24,16 +24,22 @@ public:
|
|||
|
||||
Ln();
|
||||
bool HasAccess();
|
||||
void CreateSymbolicLink(const std::wstring & link_to);
|
||||
void CreateHardLink(const std::wstring & link_to);
|
||||
void MakePost();
|
||||
|
||||
bool CreateSymbolicLink(long parent_id, const wchar_t * link_to, const wchar_t * url, bool link_redirect = true);
|
||||
bool CreateSymbolicLink(long parent_id, const std::wstring & link_to, const std::wstring & url, bool link_redirect = true);
|
||||
bool CreateHardLink(const std::vector<Item*> & dirs, const std::wstring & link_to, const std::wstring & url);
|
||||
|
||||
|
||||
private:
|
||||
|
||||
Item item;
|
||||
std::wstring link_to;
|
||||
std::vector<Item*> dir_tab;
|
||||
|
||||
void CreateSymbolicLink(const std::wstring & link_to);
|
||||
void CreateHardLink(const std::wstring & link_to);
|
||||
|
||||
};
|
||||
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
* This file is a part of Winix
|
||||
* and is not publicly distributed
|
||||
*
|
||||
* Copyright (c) 2010, Tomasz Sowa
|
||||
* Copyright (c) 2010-2013, Tomasz Sowa
|
||||
* All rights reserved.
|
||||
*
|
||||
*/
|
||||
|
@ -271,7 +271,11 @@ void PrivChanger::PrivOneItem()
|
|||
}
|
||||
|
||||
|
||||
|
||||
/*
|
||||
!! IMPROVE ME
|
||||
we can add a counter to measure how many there are access denieds for files/directories
|
||||
and when changing only one file/directory we can show access denied message
|
||||
*/
|
||||
void PrivChanger::Change(bool change_owner_, bool change_priv_)
|
||||
{
|
||||
if( !CheckAccess() )
|
||||
|
|
Loading…
Reference in New Issue