FYI Lighttpd 1.4.23 /kernel (trailing '/' on regular file
symlink) vulnerability
Dag-Erling Smørgrav
des at des.no
Tue May 26 20:32:46 UTC 2009
[moving from security@ to hackers@]
Jakub Lach <jakub_lach at mailplus.pl> writes:
> http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/21768
Like bde@ pointed out, the patch is incorrect. It moves the test for
v_type != VDIR up to a point where, in the case of a symlink, v_type is
always (by definition) VLNK.
The reason why the current code does not work is that, in the symlink
case, the v_type != VDIR test is never reached: we will have jumped to
either bad2 or success. However, it should be safe to move the test to
after the success label, because trailing_slash is only ever true for
the last component of the path we were asked to look up (see lines 520
through 535).
The attached patch should work.
DES
--
Dag-Erling Smørgrav - des at des.no
-------------- next part --------------
A non-text attachment was scrubbed...
Name: symlink-slash.diff
Type: text/x-patch
Size: 748 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20090526/2309e5a0/symlink-slash.bin
More information about the freebsd-hackers
mailing list