From: Nicolas Frattaroli <frattaroli.nicolas@gmail.com>
To: linux-fsdevel@vger.kernel.org, Matthew Garrett <mjg59@srcf.ucam.org>
Cc: linux-kernel@vger.kernel.org, Matthew Garrett <mjg59@srcf.ucam.org>
Subject: Re: [RFC] Add a prctl to disable ".." traversal in path resolution
Date: Wed, 11 Dec 2024 16:51:53 +0100 [thread overview]
Message-ID: <2034358.szW3sdo6f8@archbook> (raw)
In-Reply-To: <20241211142929.247692-1-mjg59@srcf.ucam.org>
On Mittwoch, 11. Dezember 2024 15:29:29 Mitteleuropäische Normalzeit Matthew Garrett wrote:
> Path traversal attacks remain a common security vulnerability
> (https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=%22path+traversal%22)
> and many are due to either failing to filter out ".." when validating a
> path or incorrectly collapsing other sequences of "."s into ".." .
> Evidence suggests that improving education isn't fixing the problem.
Hi Matthew,
I get the motivation here, but I think you've just turned "educate about
handling .. properly" into "educate about this specific mitigation".
Linux already offers a multitude of ways in which people who deploy
potentially buggy applications can restrict which files these applications
have access to, from old fashioned UNIX permissions over SELinux and other
LSMs to namespaces. (Some software, like postfix, even thinks chroots are
appropriate for this, but I think modern understanding of security would
disagree with that.)
People who fall victim to path traversal vulnerabilities in actual
deployments will not have deployed any of those mitigations, and therefore
I don't see why they would deploy this one.
As sad as it is to see that supposed enterprise security network appliances
still fall victim to the same mistakes people's CGI perl scripts did in
the 90s, I don't think the ones who would opt into this mechanism are the
ones getting got through path traversal.
> The majority of internet-facing applications are unlikely to require the
> ability to handle ".." in a path after startup, and many are unlikely to
> require it at all.
I would like to see some evidence of that. Do webservers already realname
the path when a client asks for example.com/foo/../css/bar.css? If so,
there's no path traversal vulnerability, if not, then they do require it.
Cheers,
Nicolas Frattaroli
next prev parent reply other threads:[~2024-12-11 15:51 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-11 14:29 [RFC] Add a prctl to disable ".." traversal in path resolution Matthew Garrett
2024-12-11 15:51 ` Nicolas Frattaroli [this message]
2024-12-11 15:56 ` Aleksa Sarai
2024-12-11 16:20 ` Al Viro
2024-12-13 13:50 ` Aleksa Sarai
2024-12-13 12:55 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2034358.szW3sdo6f8@archbook \
--to=frattaroli.nicolas@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mjg59@srcf.ucam.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox