From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:42165)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <groug@kaod.org>) id 1bamnT-00054L-5T
	for qemu-devel@nongnu.org; Fri, 19 Aug 2016 12:37:32 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <groug@kaod.org>) id 1bamnP-0003I8-U8
	for qemu-devel@nongnu.org; Fri, 19 Aug 2016 12:37:31 -0400
Received: from 20.mo1.mail-out.ovh.net ([188.165.45.168]:41281)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <groug@kaod.org>) id 1bamnP-0003Ho-NR
	for qemu-devel@nongnu.org; Fri, 19 Aug 2016 12:37:27 -0400
Received: from player726.ha.ovh.net (b7.ovh.net [213.186.33.57])
	by mo1.mail-out.ovh.net (Postfix) with ESMTP id 75934FF9BF6
	for <qemu-devel@nongnu.org>; Fri, 19 Aug 2016 18:37:26 +0200 (CEST)
Date: Fri, 19 Aug 2016 18:37:17 +0200
From: Greg Kurz <groug@kaod.org>
Message-ID: <20160819183717.4de8c99d@bahia.lan>
In-Reply-To: <CAFEAcA8dqyBLJmCGJLWQupHqWPzuL51Yz7YG+CspjMokpqOoOQ@mail.gmail.com>
References: <1470892391-4917-1-git-send-email-ppandit@redhat.com>
	<CAFEAcA9w-DhDL2kqUKQKSxaUUj+wniZKCUSLYd55U6f4QsgiyQ@mail.gmail.com>
	<CAFEAcA8dqyBLJmCGJLWQupHqWPzuL51Yz7YG+CspjMokpqOoOQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] 9pfs: add check for relative path
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: P J P <ppandit@redhat.com>, Qemu Developers <qemu-devel@nongnu.org>, Prasad J Pandit <pjp@fedoraproject.org>, "Michael S. Tsirkin" <mtsirkin@redhat.com>, Felix Wilhelm <fwilhelm@ernw.de>, "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>

On Fri, 19 Aug 2016 16:14:48 +0100
Peter Maydell <peter.maydell@linaro.org> wrote:

> On 19 August 2016 at 15:55, Peter Maydell <peter.maydell@linaro.org> wrote:
> > Also, strstr(name, "../") is the wrong check. There are I think
> > two possibilities here:
> >
> > (1) the "name" parameter may only validly be a single pathname
> > component. In this case we should be enforcing this by treating
> > any string with a "/" in it as an error (and checking for "../"
> > is not catching all the cases that should be errors).
> >
> > (2) the "name" parameter may be a multiple-pathname-component value.
> > In this case "../" catches too many cases, because "foo../bar" is
> > a valid string which is not relative. You would need to check for
> > (contains "/../" OR starts with "../" OR ends with "/.." OR is "..").
> >
> >
> > On IRC Greg and I discussed this and Greg suggested that
> > case (1) is what we have. We should check this though.  
> 
> If (1) is true and "only single path component" is a protocol
> requirement then probably we should be enforcing this at a
> higher layer than in 9p-local.c, ie in hw/9pfs/cofs.c.
> 

As we discussed on IRC, the / character isn't invalid per-se. It raises
issues with the local backend on a linux host but does not do harm with
other backends.

The proxy backend also accesses the linux filesystem but since it
chroots to the export path, it does not hit the path traversal issue.

Aneesh suggested an alternative to doing checks on the names would be
to forbid access outside the export path but I can't think of a simple
way to do that.

> thanks
> -- PMM

Cheers.

--
Greg