fixed: security vulnerability in 'ln' winix function

a user could create a hardlink to any file and the new link had user_id, group_id and permissions the same as for new generated files, this allowes to overwrite any existing file in the filesystem, now user_id, group_id, permissions are the same as from the oryginal file git-svn-id: svn://ttmath.org/publicrep/winix/trunk@941 e52654a7-88a9-db11-a3e9-0013d4bc506e
2013-12-03 12:33:41 +00:00 · 2013-12-03 12:33:41 +00:00 · c04874397b
parent 375604edd6
commit c04874397b
6 changed files with 82 additions and 35 deletions
--- a/core/dirs.cpp
+++ b/core/dirs.cpp
@ -517,7 +517,11 @@ void Dirs::CopyDirTab(const std::vector<Item*> & in, std::vector<Item*> & out)



-
+/*
+	!! IMPROVE ME
+	may dir_tab can be empty when link_to is not relative?
+	and now the algorith doesn't check if link_to is not relative (it only uses dir_tab)
+*/
 bool Dirs::AnalyzeDir(std::vector<Item*> & dir_tab, const std::wstring & link_to, size_t & i)
 {
 	size_t old_i;
--- a/core/item.h
+++ b/core/item.h
@ -2,7 +2,7 @@
 * This file is a part of Winix
 * and is not publicly distributed
 * 
- * Copyright (c) 2008-2012, Tomasz Sowa
+ * Copyright (c) 2008-2013, Tomasz Sowa
 * All rights reserved.
 * 
 */
@ -76,7 +76,7 @@ struct Item

 	// used when type is symlink or to a directory too (function 'default')
 	std::wstring link_to;
-	int link_redirect;
+	int link_redirect; // !! IMPROVE ME should it be 'bool'?


 	// static file (if exists)
--- a/core/system.cpp
+++ b/core/system.cpp
@ -1207,6 +1207,8 @@ int System::FollowAllLinks(const std::vector<Item*> & current_dir_tab, const std
 		}
 		else
 		{
+			// !! CHECK ME
+			// FollowLink is using link_to_temp temporary variable too
 			res = FollowLink(current_dir_tab, link_to_temp, out_dir_tab, out_item);
 			link_to_temp.clear();

--- a/functions/ln.cpp
+++ b/functions/ln.cpp
@ -2,7 +2,7 @@
 * This file is a part of Winix
 * and is not publicly distributed
 * 
- * Copyright (c) 2010-2012, Tomasz Sowa
+ * Copyright (c) 2010-2013, Tomasz Sowa
 * All rights reserved.
 * 
 */
@ -29,58 +29,89 @@ bool Ln::HasAccess()
 }


-void Ln::CreateSymbolicLink(const std::wstring & link_to)
+
+bool Ln::CreateSymbolicLink(long parent_id, const wchar_t * link_to, const wchar_t * url, bool link_redirect)
 {
 	item.Clear(); // setting the date to now
 	item.type          = Item::symlink;
-	item.parent_id     = cur->request->dir_tab.back()->id;
-	item.url           = cur->request->PostVar(L"url");
+	item.parent_id     = parent_id;
+	item.url           = url;
 	item.link_to       = link_to;
-	item.link_redirect = cur->request->IsPostVar(L"makeredirect") ? 1 : 0;
+	item.link_redirect = static_cast<int>(link_redirect);
 	item.privileges    = system->NewFilePrivileges();
 	functions->SetUser(item);
 	functions->PrepareUrl(item);

-	cur->request->status = db->AddItem(item);
-
-	if( cur->request->status == WINIX_ERR_OK )
-		log << log3 << "Ln: created a symbolic link to: " << link_to << logend;
+return db->AddItem(item) == WINIX_ERR_OK;
 }


-void Ln::CreateHardLink(const std::wstring & link_to)
+bool Ln::CreateSymbolicLink(long parent_id, const std::wstring & link_to, const std::wstring & url, bool link_redirect)
 {
-	int res = system->FollowAllLinks(cur->request->dir_tab, link_to, dir_tab, item, false, false);
+	return CreateSymbolicLink(parent_id, link_to.c_str(), url.c_str(), link_redirect);
+}
+
+
+void Ln::CreateSymbolicLink(const std::wstring & link_to)
+{
+	long parent_id           = cur->request->dir_tab.back()->id;
+	const std::wstring & url = cur->request->PostVar(L"url");
+	bool link_redirect       = cur->request->IsPostVar(L"makeredirect") ? 1 : 0;
+
+	if( CreateSymbolicLink(parent_id, link_to, url, link_redirect) )
+		log << log3 << "Ln: created a symbolic link to: " << link_to << logend;
+	else
+		cur->request->status = WINIX_ERR_PERMISSION_DENIED;
+}
+
+
+/*
+!! IMPROVE ME
+we need a better public interface
+instead of std::vector<Item*> may std::wstring for path?
+
+	dirs    - directory from we start looking for a destination file
+	link_to - destination file (name or path - relative or not)
+	url     - suggested url name of the link
+*/
+bool Ln::CreateHardLink(const std::vector<Item*> & dirs, const std::wstring & link_to, const std::wstring & url)
+{
+	if( dirs.empty() )
+		return false;
+
+	int res = system->FollowAllLinks(dirs, link_to, dir_tab, item, false, false);

 	if( res == 0 )
 	{
 		log << log2 << "Ln: " << link_to << " is a directory (can't create a hard link)" << logend;
-		cur->request->status = WINIX_ERR_PERMISSION_DENIED;
+		return false;
 	}
 	else
 	if( res == 1 )
 	{
-		item.SetDateToNow();
 		item.type          = Item::file;
-		item.parent_id     = cur->request->dir_tab.back()->id;
-		item.url           = cur->request->PostVar(L"url");
-		item.privileges    = system->NewFilePrivileges();
-		functions->SetUser(item);
+		item.parent_id     = dirs.back()->id;
+		item.url           = url;
 		functions->PrepareUrl(item);
-		cur->request->status = db->AddHardLink(item);

-		if( cur->request->status == WINIX_ERR_OK )
-			log << log3 << "Ln: created a hard link to: " << link_to << logend;
+		return db->AddHardLink(item) == WINIX_ERR_OK;
 	}
+
+return false;
+}
+
+
+
+
+void Ln::CreateHardLink(const std::wstring & link_to)
+{
+	const std::vector<Item*> & dirs = cur->request->dir_tab;
+	const std::wstring & url        = cur->request->PostVar(L"url");
+
+	if( CreateHardLink(dirs, link_to, url) )
+		log << log3 << "Ln: created a hard link to: " << link_to << logend;
 	else
-	if( res == 5 || res == 6 )
-	{
 		cur->request->status = WINIX_ERR_PERMISSION_DENIED;
-	}
-	else
-	{
-		cur->request->status = WINIX_ERR_NO_ITEM;
-	}
 }


--- a/functions/ln.h
+++ b/functions/ln.h
@ -2,7 +2,7 @@
 * This file is a part of Winix
 * and is not publicly distributed
 * 
- * Copyright (c) 2010, Tomasz Sowa
+ * Copyright (c) 2010-2013, Tomasz Sowa
 * All rights reserved.
 * 
 */
@ -24,16 +24,22 @@ public:

 	Ln();
 	bool HasAccess();
-	void CreateSymbolicLink(const std::wstring & link_to);
-	void CreateHardLink(const std::wstring & link_to);
 	void MakePost();

+	bool CreateSymbolicLink(long parent_id, const wchar_t * link_to, const wchar_t * url, bool link_redirect = true);
+	bool CreateSymbolicLink(long parent_id, const std::wstring & link_to, const std::wstring & url, bool link_redirect = true);
+	bool CreateHardLink(const std::vector<Item*> & dirs, const std::wstring & link_to, const std::wstring & url);
+
+
 private:

 	Item item;
 	std::wstring link_to;
 	std::vector<Item*> dir_tab;

+	void CreateSymbolicLink(const std::wstring & link_to);
+	void CreateHardLink(const std::wstring & link_to);
+
 };


--- a/functions/privchanger.cpp
+++ b/functions/privchanger.cpp
@ -2,7 +2,7 @@
 * This file is a part of Winix
 * and is not publicly distributed
 * 
- * Copyright (c) 2010, Tomasz Sowa
+ * Copyright (c) 2010-2013, Tomasz Sowa
 * All rights reserved.
 * 
 */
@ -271,7 +271,11 @@ void PrivChanger::PrivOneItem()
 }


-
+/*
+	!! IMPROVE ME
+	we can add a counter to measure how many there are access denieds for files/directories
+	and when changing only one file/directory we can show access denied message
+*/
 void PrivChanger::Change(bool change_owner_, bool change_priv_)
 {
 	if( !CheckAccess() )