luc14n0/glib
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/glib.git synced 2025-09-27 17:52:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'backport-2325-symlink-replace-file-glib-2-66' into 'glib-2-66'

Browse Source 
Backport !2325 “file-roller symlink attack” to glib-2-66

See merge request GNOME/glib!1982
This commit is contained in:
Philip Withnall
2021-03-10 19:07:50 +00:00
parent 95115f029d 6c6439261b
commit 01c5468e10
2 changed files with 181 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

99
gio/glocalfileoutputstream.c
View File

@@ -63,6 +63,12 @@
#define O_BINARY 0
#endif
#ifndef O_CLOEXEC
#define O_CLOEXEC 0
#else
#define HAVE_O_CLOEXEC 1
#endif
struct _GLocalFileOutputStreamPrivate {
char *tmp_filename;
char *original_filename;
@@ -850,11 +856,12 @@ handle_overwrite_open (const char *filename,
int res;
int mode;
int errsv;
gboolean replace_destination_set = (flags & G_FILE_CREATE_REPLACE_DESTINATION);
mode = mode_from_flags_or_info (flags, reference_info);
/* We only need read access to the original file if we are creating a backup.
* We also add O_CREATE to avoid a race if the file was just removed */
* We also add O_CREAT to avoid a race if the file was just removed */
if (create_backup || readable)
open_flags = O_RDWR | O_CREAT | O_BINARY;
else
@@ -877,16 +884,22 @@ handle_overwrite_open (const char *filename,
/* Could be a symlink, or it could be a regular ELOOP error,
* but then the next open will fail too. */
is_symlink = TRUE;
fd = g_open (filename, open_flags, mode);
if (!replace_destination_set)
fd = g_open (filename, open_flags, mode);
}
#else
fd = g_open (filename, open_flags, mode);
errsv = errno;
#else /* if !O_NOFOLLOW */
/* This is racy, but we do it as soon as possible to minimize the race */
is_symlink = g_file_test (filename, G_FILE_TEST_IS_SYMLINK);
if (!is_symlink || !replace_destination_set)
{
fd = g_open (filename, open_flags, mode);
errsv = errno;
}
#endif
if (fd == -1)
if (fd == -1 &&
(!is_symlink || !replace_destination_set))
{
char *display_name = g_filename_display_name (filename);
g_set_error (error, G_IO_ERROR,
@@ -897,15 +910,30 @@ handle_overwrite_open (const char *filename,
return -1;
}
res = g_local_file_fstat (fd,
G_LOCAL_FILE_STAT_FIELD_TYPE |
G_LOCAL_FILE_STAT_FIELD_MODE |
G_LOCAL_FILE_STAT_FIELD_UID |
G_LOCAL_FILE_STAT_FIELD_GID |
G_LOCAL_FILE_STAT_FIELD_MTIME |
G_LOCAL_FILE_STAT_FIELD_NLINK,
G_LOCAL_FILE_STAT_FIELD_ALL, &original_stat);
errsv = errno;
if (!is_symlink)
{
res = g_local_file_fstat (fd,
G_LOCAL_FILE_STAT_FIELD_TYPE |
G_LOCAL_FILE_STAT_FIELD_MODE |
G_LOCAL_FILE_STAT_FIELD_UID |
G_LOCAL_FILE_STAT_FIELD_GID |
G_LOCAL_FILE_STAT_FIELD_MTIME |
G_LOCAL_FILE_STAT_FIELD_NLINK,
G_LOCAL_FILE_STAT_FIELD_ALL, &original_stat);
errsv = errno;
}
else
{
res = g_local_file_lstat (filename,
G_LOCAL_FILE_STAT_FIELD_TYPE |
G_LOCAL_FILE_STAT_FIELD_MODE |
G_LOCAL_FILE_STAT_FIELD_UID |
G_LOCAL_FILE_STAT_FIELD_GID |
G_LOCAL_FILE_STAT_FIELD_MTIME |
G_LOCAL_FILE_STAT_FIELD_NLINK,
G_LOCAL_FILE_STAT_FIELD_ALL, &original_stat);
errsv = errno;
}
if (res != 0)
{
@@ -922,16 +950,27 @@ handle_overwrite_open (const char *filename,
if (!S_ISREG (_g_stat_mode (&original_stat)))
{
if (S_ISDIR (_g_stat_mode (&original_stat)))
g_set_error_literal (error,
G_IO_ERROR,
G_IO_ERROR_IS_DIRECTORY,
_("Target file is a directory"));
else
g_set_error_literal (error,
{
g_set_error_literal (error,
G_IO_ERROR,
G_IO_ERROR_IS_DIRECTORY,
_("Target file is a directory"));
goto err_out;
}
else if (!is_symlink ||
#ifdef S_ISLNK
!S_ISLNK (_g_stat_mode (&original_stat))
#else
FALSE
#endif
)
{
g_set_error_literal (error,
G_IO_ERROR,
G_IO_ERROR_NOT_REGULAR_FILE,
_("Target file is not a regular file"));
goto err_out;
goto err_out;
}
}
if (etag != NULL)
@@ -960,7 +999,7 @@ handle_overwrite_open (const char *filename,
* to a backup file and rewrite the contents of the file.
*/
if ((flags & G_FILE_CREATE_REPLACE_DESTINATION) ||
if (replace_destination_set ||
(!(_g_stat_nlink (&original_stat) > 1) && !is_symlink))
{
char *dirname, *tmp_filename;
@@ -979,7 +1018,7 @@ handle_overwrite_open (const char *filename,
/* try to keep permissions (unless replacing) */
if ( ! (flags & G_FILE_CREATE_REPLACE_DESTINATION) &&
if (!replace_destination_set &&
(
#ifdef HAVE_FCHOWN
fchown (tmpfd, _g_stat_uid (&original_stat), _g_stat_gid (&original_stat)) == -1 ||
@@ -1014,7 +1053,8 @@ handle_overwrite_open (const char *filename,
}
}
g_close (fd, NULL);
if (fd >= 0)
g_close (fd, NULL);
*temp_filename = tmp_filename;
return tmpfd;
}
@@ -1120,7 +1160,7 @@ handle_overwrite_open (const char *filename,
}
}
if (flags & G_FILE_CREATE_REPLACE_DESTINATION)
if (replace_destination_set)
{
g_close (fd, NULL);
@@ -1205,7 +1245,7 @@ _g_local_file_output_stream_replace (const char *filename,
sync_on_close = FALSE;
/* If the file doesn't exist, create it */
open_flags = O_CREAT | O_EXCL | O_BINARY;
open_flags = O_CREAT | O_EXCL | O_BINARY | O_CLOEXEC;
if (readable)
open_flags |= O_RDWR;
else
@@ -1235,7 +1275,10 @@ _g_local_file_output_stream_replace (const char *filename,
set_error_from_open_errno (filename, error);
return NULL;
}
#if !defined(HAVE_O_CLOEXEC) && defined(F_SETFD)
else
fcntl (fd, F_SETFD, FD_CLOEXEC);
#endif
stream = g_object_new (G_TYPE_LOCAL_FILE_OUTPUT_STREAM, NULL);
stream->priv->fd = fd;

112
gio/tests/file.c
View File

@@ -686,7 +686,7 @@ test_replace_cancel (void)
guint count;
GError *error = NULL;
g_test_bug ("629301");
g_test_bug ("https://bugzilla.gnome.org/629301");
path = g_dir_make_tmp ("g_file_replace_cancel_XXXXXX", &error);
g_assert_no_error (error);
@@ -805,6 +805,113 @@ test_replace_cancel (void)
g_object_unref (tmpdir);
}
static void
test_replace_symlink (void)
{
#ifdef G_OS_UNIX
gchar *tmpdir_path = NULL;
GFile *tmpdir = NULL, *source_file = NULL, *target_file = NULL;
GFileOutputStream *stream = NULL;
const gchar *new_contents = "this is a test message which should be written to source and not target";
gsize n_written;
GFileEnumerator *enumerator = NULL;
GFileInfo *info = NULL;
gchar *contents = NULL;
gsize length = 0;
GError *local_error = NULL;
g_test_bug ("https://gitlab.gnome.org/GNOME/glib/-/issues/2325");
g_test_summary ("Test that G_FILE_CREATE_REPLACE_DESTINATION doesnt follow symlinks");
/* Create a fresh, empty working directory. */
tmpdir_path = g_dir_make_tmp ("g_file_replace_symlink_XXXXXX", &local_error);
g_assert_no_error (local_error);
tmpdir = g_file_new_for_path (tmpdir_path);
g_test_message ("Using temporary directory %s", tmpdir_path);
g_free (tmpdir_path);
/* Create symlink `source` which points to `target`. */
source_file = g_file_get_child (tmpdir, "source");
target_file = g_file_get_child (tmpdir, "target");
g_file_make_symbolic_link (source_file, "target", NULL, &local_error);
g_assert_no_error (local_error);
/* Ensure that `target` doesnt exist */
g_assert_false (g_file_query_exists (target_file, NULL));
/* Replace the `source` symlink with a regular file using
* %G_FILE_CREATE_REPLACE_DESTINATION, which should replace it *without*
* following the symlink */
stream = g_file_replace (source_file, NULL, FALSE /* no backup */,
G_FILE_CREATE_REPLACE_DESTINATION, NULL, &local_error);
g_assert_no_error (local_error);
g_output_stream_write_all (G_OUTPUT_STREAM (stream), new_contents, strlen (new_contents),
&n_written, NULL, &local_error);
g_assert_no_error (local_error);
g_assert_cmpint (n_written, ==, strlen (new_contents));
g_output_stream_close (G_OUTPUT_STREAM (stream), NULL, &local_error);
g_assert_no_error (local_error);
g_clear_object (&stream);
/* At this point, there should still only be one file: `source`. It should
* now be a regular file. `target` should not exist. */
enumerator = g_file_enumerate_children (tmpdir,
G_FILE_ATTRIBUTE_STANDARD_NAME ","
G_FILE_ATTRIBUTE_STANDARD_TYPE,
G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS, NULL, &local_error);
g_assert_no_error (local_error);
info = g_file_enumerator_next_file (enumerator, NULL, &local_error);
g_assert_no_error (local_error);
g_assert_nonnull (info);
g_assert_cmpstr (g_file_info_get_name (info), ==, "source");
g_assert_cmpint (g_file_info_get_file_type (info), ==, G_FILE_TYPE_REGULAR);
g_clear_object (&info);
info = g_file_enumerator_next_file (enumerator, NULL, &local_error);
g_assert_no_error (local_error);
g_assert_null (info);
g_file_enumerator_close (enumerator, NULL, &local_error);
g_assert_no_error (local_error);
g_clear_object (&enumerator);
/* Double-check that `target` doesnt exist */
g_assert_false (g_file_query_exists (target_file, NULL));
/* Check the content of `source`. */
g_file_load_contents (source_file,
NULL,
&contents,
&length,
NULL,
&local_error);
g_assert_no_error (local_error);
g_assert_cmpstr (contents, ==, new_contents);
g_assert_cmpuint (length, ==, strlen (new_contents));
g_free (contents);
/* Tidy up. */
g_file_delete (source_file, NULL, &local_error);
g_assert_no_error (local_error);
g_file_delete (tmpdir, NULL, &local_error);
g_assert_no_error (local_error);
g_clear_object (&target_file);
g_clear_object (&source_file);
g_clear_object (&tmpdir);
#else /* if !G_OS_UNIX */
g_test_skip ("Symlink replacement tests can only be run on Unix")
#endif
}
static void
on_file_deleted (GObject *object,
GAsyncResult *result,
@@ -1785,8 +1892,6 @@ main (int argc, char *argv[])
{
g_test_init (&argc, &argv, NULL);
g_test_bug_base ("http://bugzilla.gnome.org/");
g_test_add_func ("/file/basic", test_basic);
g_test_add_func ("/file/build-filename", test_build_filename);
g_test_add_func ("/file/parent", test_parent);
@@ -1800,6 +1905,7 @@ main (int argc, char *argv[])
g_test_add_data_func ("/file/async-create-delete/4096", GINT_TO_POINTER (4096), test_create_delete);
g_test_add_func ("/file/replace-load", test_replace_load);
g_test_add_func ("/file/replace-cancel", test_replace_cancel);
g_test_add_func ("/file/replace-symlink", test_replace_symlink);
g_test_add_func ("/file/async-delete", test_async_delete);
g_test_add_func ("/file/copy-preserve-mode", test_copy_preserve_mode);
g_test_add_func ("/file/measure", test_measure);