Security patch for weird pathnames

author: pst <pst@FreeBSD.org> 1996-08-12 01:36:01 +0800
committer: pst <pst@FreeBSD.org> 1996-08-12 01:36:01 +0800
commit: a93c95713bf0ba2d869be862c4429b4817e8ab22 (patch)
tree: 08a3c2e4d2e4005231105132ad04b3ea14865940 /ftp
parent: d39ecef17bc67ae1468d8d06c8f554f607c25a5e (diff)
download: freebsd-ports-gnome-a93c95713bf0ba2d869be862c4429b4817e8ab22.tar.gz
freebsd-ports-gnome-a93c95713bf0ba2d869be862c4429b4817e8ab22.tar.zst
freebsd-ports-gnome-a93c95713bf0ba2d869be862c4429b4817e8ab22.zip
1 files changed, 212 insertions, 0 deletions
diff --git a/ftp/yale-tftpd/files/patch-ab b/ftp/yale-tftpd/files/patch-ab
new file mode 100644
index 000000000000..cea9966ad984
--- /dev/null
+++ b/ftp/yale-tftpd/files/patch-ab
@@ -0,0 +1,212 @@
+From: Christian.Schroeder@Inf-Technik.TU-Ilmenau.DE (Ch. Schroeder)
+Message-Id: <9510171319.AA19401@pegasus>
+Subject: yale tftpd
+To: pst@cisco.com
+Date: Tue, 17 Oct 1995 14:19:32 +0100 (MET)
+
+Hello Paul,
+
+Some days ago I foung the yale tftp daemon (3.0) on the INTERNET and I want to
+use it because I have to follow symbolic links from the tftp root directory
+to some bootfiles in other directories in the local filesystem.
+
+But I found, that there are some security holes (?) in the code, specially
+if the daemon checks the pathname of the requested file. That is dangereous
+if no default access rules are specified.
+
+i.e:
+
+config file:
+------------
+
+defaultDirectory                /tftpboot
+rootDirectory                   /tftpboot
+accessList              1       readonly        141.24.20.0     0.0.3.255
+defaultAccessList       1
+
+The following reqeusts were successfully and I think, that shouldn't be so.
+
+tftp> get /etc/passwd ./foo
+Error code 1: File not found
+tftp> get /tftpboot/../../etc/passwd ./foo
+Received 474 bytes in 0.3 seconds
+tftp> get ../../etc/passwd ./foo
+Received 474 bytes in 0.1 seconds
+tftp>
+
+I found also some Problems when I dont secify a rootDirectory.
+Specially the "../.." parts are only removed, if a root directory
+is specified AND the path starts with "/" AND the path doesn't start 
+with the virtual root directory (e.g. /tftpboot). restrict rules can
+be skipped with leading ../.. etc.
+Therefore I made some changes in tftpd.c an got better results.
+
+tftp> get /etc/passwd ./foo
+Error code 1: File not found
+tftp> get /tftpboot/../../etc/passwd ./foo
+Error code 2: Access violation
+tftp> get ../../etc/passwd ./foo
+Error code 1: File not found
+tftp>
+
+It would be very nice, if you could check my modifications and
+mail me your meaning back. (Excuse please my ugly english)
+
+Christian
+
+Here's the diff File ( diff -bw -c tftpd.c tftpd.c.patched ):
+
+*** tftpd.c	Tue Oct 17 14:09:01 1995
+--- tftpd.c.patched	Tue Oct 17 11:57:30 1995
+***************
+*** 459,475 ****
+  
+  	/* Rule 2:
+  	 */
+! 	if (tftpRootDirectory != 0 && IS_ROOTED(filename)) {
+  		char _tmp[1024];
+  		int maxPath;
+  		int rootLen;
+  
+! 		rootLen = strlen (tftpRootDirectory);
+  
+  		/* make sure the pathname doesn't already contain
+  		 * the virtual root.
+  		 */
+- 		if (strncmp(filename,tftpRootDirectory,rootLen) != 0) {
+  
+  			/* Insure our temporary space is big enough */
+  			maxPath = ((sizeof _tmp) - 1) - rootLen;
+--- 459,483 ----
+  
+  	/* Rule 2:
+  	 */
+! 	if ((tftpRootDirectory != 0 && IS_ROOTED(filename)) ||
+! 	    (tftpDefaultDirectory != 0 && IS_ROOTED(filename))) {
+  		char _tmp[1024];
++ 		char* realRootDir; 
+  		int maxPath;
+  		int rootLen;
+  
+! 		if (tftpRootDirectory != 0 ) {
+! 			realRootDir = tftpRootDirectory;
+! 		}
+! 		else {
+! 			realRootDir = tftpDefaultDirectory;
+! 		}
+  
++ 		rootLen = strlen (realRootDir);
++ 
+  		/* make sure the pathname doesn't already contain
+  		 * the virtual root.
+  		 */
+  
+  		/* Insure our temporary space is big enough */
+  		maxPath = ((sizeof _tmp) - 1) - rootLen;
+***************
+*** 481,486 ****
+--- 489,496 ----
+  			return EACCESS;
+  		}
+  
++ 		if (strncmp(filename,realRootDir,rootLen) != 0) {
++ 
+  			/* Squeeze out any '.' or '..' components */
+  			strcpy (tmpPath, filename);
+  			if (realPath (tmpPath, _tmp) < 0) {
+***************
+*** 492,511 ****
+  			/* Create the full pathname, prefixed by the
+  			 * virtual root.
+  			 */
+! 			strcpy (tmpPath, tftpRootDirectory);
+  			strcat (tmpPath, _tmp);
+  			filename = tmpPath;
+  		}
+  	}
+  
+  	/* Rule 3:
+  	 */
+! 	if (!IS_ROOTED(filename) && tftpDefaultDirectory == 0) {
+! 		strcpy (tmpPath, tftpRootDirectory);
+! 		strcat (tmpPath, "/");
+  		strcat (tmpPath, filename);
+  		filename = tmpPath;
+  	}
+  
+  	/* Check access lists */
+  	/* Rules 4&5:
+--- 502,554 ----
+  			/* Create the full pathname, prefixed by the
+  			 * virtual root.
+  			 */
+! 			strcpy (tmpPath, realRootDir);
+  			strcat (tmpPath, _tmp);
+  			filename = tmpPath;
+  		}
++ 		else {
++ 			/* Squeeze out any '.' or '..' components */
++ 		        strcpy (tmpPath, filename);
++                         if (realPath (tmpPath, _tmp) < 0) {
++                                 if (tftpDebugLevel > 1)
++                                         syslog (LOG_DEBUG, "realPath fails");
++                                 return EACCESS;
+                          }	
++ 			/* Create the full pathname */
++ 			strcpy (tmpPath,_tmp);
++ 			filename = tmpPath;
++ 			if (strncmp(filename,realRootDir,rootLen) != 0) {
++ 			    if (tftpDebugLevel > 1) {
++ 				syslog(LOG_DEBUG, "file=%s; invalid access denied", filename);
++ 				return EACCESS;
++ 	                    }	
++ 			}
++ 		}
++ 	}
+  
+  	/* Rule 3:
+  	 */
+! 	if ((!IS_ROOTED(filename)  && tftpRootDirectory != 0) ||
+! 	    (!IS_ROOTED(filename)  && tftpDefaultDirectory != 0)) {
+! 		char _tmp[1024];
+  		strcat (tmpPath, filename);
++ 	        /* Squeeze out any '.' or '..' components */
++                         strcpy (tmpPath, filename);
++                         if (realPath (tmpPath, _tmp) < 0) {
++                                 if (tftpDebugLevel > 1)
++                                         syslog (LOG_DEBUG, "realPath fails");
++                                 return EACCESS;
++                         }
++ 		if ( tftpDefaultDirectory == 0 ) {
++ 			strcpy (tmpPath, tftpRootDirectory);
++ 		}
++ 		else {
++ 			strcpy (tmpPath, tftpDefaultDirectory);
++ 		}
++ 		strcat (tmpPath, _tmp);
+  		filename = tmpPath;
+  	}
++ 
+  
+  	/* Check access lists */
+  	/* Rules 4&5:
+-- 
+
+                                             ***
+                                            (o o)
+ ---------------------------------------ooO--(_)--Ooo----------------------
+|                           |                                              |
+|                           | Christian Schroeder (Dr.-Ing.)               |
+|                           |                                              |
+|        _/_/_/     _/_/_/  | Technische Universitaet Ilmenau              |
+|      _/    _/  _/     _/  | Fakultaet Elektrotechnik/Informationstechnik |
+|    _/          _/         | Mikroelektronische Schaltungen u. Systeme    |
+|   _/           _/_/_/     | Postfach 0565                                |
+|  _/                 _/    | 98684 ILMENAU                                |
+|  _/     _/  _/      _/    |                                              |
+|   _/_/_/     _/_/_/       | Phone  : +49 (0) 3677/69-1165/1168/1169      |
+|                           | FAX    : +49 (0) 3677/69-1163                |
+|                           | E-Mail : schroeder@Inf-Technik.TU-Ilmenau.DE |
+ --------------------------------------------------------------------------
+
+
author	pst <pst@FreeBSD.org>	1996-08-12 01:36:01 +0800
committer	pst <pst@FreeBSD.org>	1996-08-12 01:36:01 +0800
commit	a93c95713bf0ba2d869be862c4429b4817e8ab22 (patch)
tree	08a3c2e4d2e4005231105132ad04b3ea14865940 /ftp
parent	d39ecef17bc67ae1468d8d06c8f554f607c25a5e (diff)
download	freebsd-ports-gnome-a93c95713bf0ba2d869be862c4429b4817e8ab22.tar.gz freebsd-ports-gnome-a93c95713bf0ba2d869be862c4429b4817e8ab22.tar.zst freebsd-ports-gnome-a93c95713bf0ba2d869be862c4429b4817e8ab22.zip