|
|
bc22e6 |
From 043366ac3248a58662a6fbf47a1dd688a75d0e78 Mon Sep 17 00:00:00 2001
|
|
|
bc22e6 |
From: Darshit Shah <darnir@gmail.com>
|
|
|
bc22e6 |
Date: Mon, 8 Sep 2014 00:41:17 +0530
|
|
|
bc22e6 |
Subject: [PATCH 1/2] Fix R7-2014-15: Arbitrary Symlink Access
|
|
|
bc22e6 |
|
|
|
bc22e6 |
Wget was susceptible to a symlink attack which could create arbitrary
|
|
|
bc22e6 |
files, directories or symbolic links and set their permissions when
|
|
|
bc22e6 |
retrieving a directory recursively through FTP. This commit changes the
|
|
|
bc22e6 |
default settings in Wget such that Wget no longer creates local symbolic
|
|
|
bc22e6 |
links, but rather traverses them and retrieves the pointed-to file in
|
|
|
bc22e6 |
such a retrieval.
|
|
|
bc22e6 |
|
|
|
bc22e6 |
The old behaviour can be attained by passing the --retr-symlinks=no
|
|
|
bc22e6 |
option to the Wget invokation command.
|
|
|
bc22e6 |
---
|
|
|
bc22e6 |
doc/wget.texi | 23 ++++++++++++-----------
|
|
|
bc22e6 |
src/init.c | 16 ++++++++++++++++
|
|
|
bc22e6 |
2 files changed, 28 insertions(+), 11 deletions(-)
|
|
|
bc22e6 |
|
|
|
bc22e6 |
diff --git a/doc/wget.texi b/doc/wget.texi
|
|
|
bc22e6 |
index a31eb5e..f54e98d 100644
|
|
|
bc22e6 |
--- a/doc/wget.texi
|
|
|
bc22e6 |
+++ b/doc/wget.texi
|
|
|
bc22e6 |
@@ -1883,17 +1883,18 @@ Preserve remote file permissions instead of permissions set by umask.
|
|
|
bc22e6 |
|
|
|
bc22e6 |
@cindex symbolic links, retrieving
|
|
|
bc22e6 |
@item --retr-symlinks
|
|
|
bc22e6 |
-Usually, when retrieving @sc{ftp} directories recursively and a symbolic
|
|
|
bc22e6 |
-link is encountered, the linked-to file is not downloaded. Instead, a
|
|
|
bc22e6 |
-matching symbolic link is created on the local filesystem. The
|
|
|
bc22e6 |
-pointed-to file will not be downloaded unless this recursive retrieval
|
|
|
bc22e6 |
-would have encountered it separately and downloaded it anyway.
|
|
|
bc22e6 |
-
|
|
|
bc22e6 |
-When @samp{--retr-symlinks} is specified, however, symbolic links are
|
|
|
bc22e6 |
-traversed and the pointed-to files are retrieved. At this time, this
|
|
|
bc22e6 |
-option does not cause Wget to traverse symlinks to directories and
|
|
|
bc22e6 |
-recurse through them, but in the future it should be enhanced to do
|
|
|
bc22e6 |
-this.
|
|
|
bc22e6 |
+By default, when retrieving @sc{ftp} directories recursively and a symbolic link
|
|
|
bc22e6 |
+is encountered, the symbolic link is traversed and the pointed-to files are
|
|
|
bc22e6 |
+retrieved. Currently, Wget does not traverse symbolic links to directories to
|
|
|
bc22e6 |
+download them recursively, though this feature may be added in the future.
|
|
|
bc22e6 |
+
|
|
|
bc22e6 |
+When @samp{--retr-symlinks=no} is specified, the linked-to file is not
|
|
|
bc22e6 |
+downloaded. Instead, a matching symbolic link is created on the local
|
|
|
bc22e6 |
+filesystem. The pointed-to file will not be retrieved unless this recursive
|
|
|
bc22e6 |
+retrieval would have encountered it separately and downloaded it anyway. This
|
|
|
bc22e6 |
+option poses a security risk where a malicious FTP Server may cause Wget to
|
|
|
bc22e6 |
+write to files outside of the intended directories through a specially crafted
|
|
|
bc22e6 |
+@sc{.listing} file.
|
|
|
bc22e6 |
|
|
|
bc22e6 |
Note that when retrieving a file (not a directory) because it was
|
|
|
bc22e6 |
specified on the command-line, rather than because it was recursed to,
|
|
|
bc22e6 |
diff --git a/src/init.c b/src/init.c
|
|
|
bc22e6 |
index 93e95f8..94b6f8b 100644
|
|
|
bc22e6 |
--- a/src/init.c
|
|
|
bc22e6 |
+++ b/src/init.c
|
|
|
bc22e6 |
@@ -366,6 +366,22 @@ defaults (void)
|
|
|
bc22e6 |
|
|
|
bc22e6 |
opt.dns_cache = true;
|
|
|
bc22e6 |
opt.ftp_pasv = true;
|
|
|
bc22e6 |
+ /* 2014-09-07 Darshit Shah <darnir@gmail.com>
|
|
|
bc22e6 |
+ * opt.retr_symlinks is set to true by default. Creating symbolic links on the
|
|
|
bc22e6 |
+ * local filesystem pose a security threat by malicious FTP Servers that
|
|
|
bc22e6 |
+ * server a specially crafted .listing file akin to this:
|
|
|
bc22e6 |
+ *
|
|
|
bc22e6 |
+ * lrwxrwxrwx 1 root root 33 Dec 25 2012 JoCxl6d8rFU -> /
|
|
|
bc22e6 |
+ * drwxrwxr-x 15 1024 106 4096 Aug 28 02:02 JoCxl6d8rFU
|
|
|
bc22e6 |
+ *
|
|
|
bc22e6 |
+ * A .listing file in this fashion makes Wget susceptiple to a symlink attack
|
|
|
bc22e6 |
+ * wherein the attacker is able to create arbitrary files, directories and
|
|
|
bc22e6 |
+ * symbolic links on the target system and even set permissions.
|
|
|
bc22e6 |
+ *
|
|
|
bc22e6 |
+ * Hence, by default Wget attempts to retrieve the pointed-to files and does
|
|
|
bc22e6 |
+ * not create the symbolic links locally.
|
|
|
bc22e6 |
+ */
|
|
|
bc22e6 |
+ opt.retr_symlinks = true;
|
|
|
bc22e6 |
|
|
|
bc22e6 |
#ifdef HAVE_SSL
|
|
|
bc22e6 |
opt.check_cert = true;
|
|
|
bc22e6 |
--
|
|
|
bc22e6 |
2.1.0
|
|
|
bc22e6 |
|
|
|
bc22e6 |
From bfa8c9cc9937f686a4de110e49710061267f8d9e Mon Sep 17 00:00:00 2001
|
|
|
bc22e6 |
From: Darshit Shah <darnir@gmail.com>
|
|
|
bc22e6 |
Date: Mon, 8 Sep 2014 15:07:45 +0530
|
|
|
bc22e6 |
Subject: [PATCH 2/2] Add checks for valid listing file in FTP
|
|
|
bc22e6 |
|
|
|
bc22e6 |
When Wget retrieves a file through FTP, it first downloads a .listing
|
|
|
bc22e6 |
file and parses it for information about the files and other metadata.
|
|
|
bc22e6 |
Some servers may serve invalid .listing files. This patch checks for one
|
|
|
bc22e6 |
such known inconsistency wherein multiple lines in a listing file have
|
|
|
bc22e6 |
the same name. Such a filesystem is clearly not possible and hence we
|
|
|
bc22e6 |
eliminate duplicate entries here.
|
|
|
bc22e6 |
|
|
|
bc22e6 |
Signed-off-by: Darshit Shah <darnir@gmail.com>
|
|
|
bc22e6 |
---
|
|
|
bc22e6 |
src/ftp.c | 27 +++++++++++++++++++++++++--
|
|
|
bc22e6 |
1 file changed, 25 insertions(+), 2 deletions(-)
|
|
|
bc22e6 |
|
|
|
bc22e6 |
diff --git a/src/ftp.c b/src/ftp.c
|
|
|
bc22e6 |
index 2d54333..054cb61 100644
|
|
|
bc22e6 |
--- a/src/ftp.c
|
|
|
bc22e6 |
+++ b/src/ftp.c
|
|
|
bc22e6 |
@@ -2211,6 +2211,29 @@ has_insecure_name_p (const char *s)
|
|
|
bc22e6 |
return false;
|
|
|
bc22e6 |
}
|
|
|
bc22e6 |
|
|
|
bc22e6 |
+/* Test if the file node is invalid. This can occur due to malformed or
|
|
|
bc22e6 |
+ * maliciously crafted listing files being returned by the server.
|
|
|
bc22e6 |
+ *
|
|
|
bc22e6 |
+ * Currently, this function only tests if there are multiple entries in the
|
|
|
bc22e6 |
+ * listing file by the same name. However this function can be expanded as more
|
|
|
bc22e6 |
+ * such illegal listing formats are discovered. */
|
|
|
bc22e6 |
+static bool
|
|
|
bc22e6 |
+is_invalid_entry (struct fileinfo *f)
|
|
|
bc22e6 |
+{
|
|
|
bc22e6 |
+ struct fileinfo *cur;
|
|
|
bc22e6 |
+ cur = f;
|
|
|
bc22e6 |
+ char *f_name = f->name;
|
|
|
bc22e6 |
+ /* If the node we're currently checking has a duplicate later, we eliminate
|
|
|
bc22e6 |
+ * the current node and leave the next one intact. */
|
|
|
bc22e6 |
+ while (cur->next)
|
|
|
bc22e6 |
+ {
|
|
|
bc22e6 |
+ cur = cur->next;
|
|
|
bc22e6 |
+ if (strcmp(f_name, cur->name) == 0)
|
|
|
bc22e6 |
+ return true;
|
|
|
bc22e6 |
+ }
|
|
|
bc22e6 |
+ return false;
|
|
|
bc22e6 |
+}
|
|
|
bc22e6 |
+
|
|
|
bc22e6 |
/* A near-top-level function to retrieve the files in a directory.
|
|
|
bc22e6 |
The function calls ftp_get_listing, to get a linked list of files.
|
|
|
bc22e6 |
Then it weeds out the file names that do not match the pattern.
|
|
|
bc22e6 |
@@ -2248,11 +2271,11 @@ ftp_retrieve_glob (struct url *u, ccon *con, int action)
|
|
|
bc22e6 |
f = f->next;
|
|
|
bc22e6 |
}
|
|
|
bc22e6 |
}
|
|
|
bc22e6 |
- /* Remove all files with possible harmful names */
|
|
|
bc22e6 |
+ /* Remove all files with possible harmful names or invalid entries. */
|
|
|
bc22e6 |
f = start;
|
|
|
bc22e6 |
while (f)
|
|
|
bc22e6 |
{
|
|
|
bc22e6 |
- if (has_insecure_name_p (f->name))
|
|
|
bc22e6 |
+ if (has_insecure_name_p (f->name) || is_invalid_entry (f))
|
|
|
bc22e6 |
{
|
|
|
bc22e6 |
logprintf (LOG_VERBOSE, _("Rejecting %s.\n"),
|
|
|
bc22e6 |
quote (f->name));
|
|
|
bc22e6 |
--
|
|
|
bc22e6 |
2.1.0
|
|
|
bc22e6 |
|