From: Jason A. Donenfeld <Jason@zx2c4.com>
Date: Sat, 25 May 2013 17:47:15 +0000 (+0200)
Subject: ui-summary: Disallow directory traversal
X-Git-Url: https://gitweb.ps.run/ps-cgit/commitdiff_plain/fe36f84d843cd755c6dab629a0758264de5bcc00?hp=fe36f84d843cd755c6dab629a0758264de5bcc00

ui-summary: Disallow directory traversal

Using the url= query string, it was possible request arbitrary files
from the filesystem if the readme for a given page was set to a
filesystem file. The following request would return my /etc/passwd file:

http://git.zx2c4.com/?url=/somerepo/about/../../../../etc/passwd
http://data.zx2c4.com/cgit-directory-traversal.png

This fix uses realpath(3) to canonicalize all paths, and then compares
the base components.

This fix introduces a subtle timing attack, whereby a client can check
whether or not strstr is called using timing measurements in order
to determine if a given file exists on the filesystem.

This fix also does not account for filesystem race conditions (TOCTOU)
in resolving symlinks.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---