summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRavishankar N <ravishankar@redhat.com>2018-11-02 11:00:43 +0530
committerShyamsundar Ranganathan <srangana@redhat.com>2018-11-06 16:13:14 +0000
commit5f4ae8a80543332a2e92dfa5c7f833ae7b93a664 (patch)
tree6ec31bea6a9ac6dad565b1e909226428b8fa9794
parent224895148d95742c1f36b48bb79d8b9ef1ff0cd6 (diff)
index: prevent arbitrary file creation outside entry-changes folder
Patch in master: https://review.gluster.org/#/c/glusterfs/+/21534/ A compromised client can set arbitrary values for the GF_XATTROP_ENTRY_IN_KEY and GF_XATTROP_ENTRY_OUT_KEY during xattrop fop. These values are consumed by index as a filename to be created/deleted according to the key. Thus it is possible to create/delete random files even outside the gluster volume boundary. Fix: Index expects the filename to be a basename, i.e. it must not contain any pathname components like "/" or "../". Enforce this. Fixes: CVE-2018-14654 Fixes: bz#1646200 Change-Id: I35f2a39257b5917d17283d0a4f575b92f783f143 Signed-off-by: Ravishankar N <ravishankar@redhat.com>
-rw-r--r--xlators/features/index/src/index.c19
1 files changed, 19 insertions, 0 deletions
diff --git a/xlators/features/index/src/index.c b/xlators/features/index/src/index.c
index 152b52dfc33..931d8344d7c 100644
--- a/xlators/features/index/src/index.c
+++ b/xlators/features/index/src/index.c
@@ -841,6 +841,15 @@ index_entry_create (xlator_t *this, inode_t *inode, char *filename)
ctx->state[ENTRY_CHANGES] = IN;
}
+ if (strchr (filename, '/')) {
+ gf_msg (this->name, GF_LOG_ERROR, EINVAL,
+ INDEX_MSG_INDEX_ADD_FAILED,
+ "Got invalid entry (%s) for pargfid path (%s)",
+ filename, pgfid_path);
+ op_errno = EINVAL;
+ goto out;
+ }
+
op_errno = 0;
snprintf (entry_path, sizeof(entry_path), "%s/%s", pgfid_path,
@@ -870,6 +879,16 @@ index_entry_delete (xlator_t *this, uuid_t pgfid, char *filename)
make_gfid_path (priv->index_basepath, ENTRY_CHANGES_SUBDIR, pgfid,
pgfid_path, sizeof (pgfid_path));
+
+ if (strchr (filename, '/')) {
+ gf_msg (this->name, GF_LOG_ERROR, EINVAL,
+ INDEX_MSG_INDEX_DEL_FAILED,
+ "Got invalid entry (%s) for pargfid path (%s)",
+ filename, pgfid_path);
+ op_errno = EINVAL;
+ goto out;
+ }
+
snprintf (entry_path, sizeof(entry_path), "%s/%s", pgfid_path,
filename);