Allow read_link to read absolute paths #354
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
asomers
force-pushed
the
readlinkat
branch
2 times, most recently
from
04e1cad
to
73bc997
Compare
Previously it would return an error if the link's destination were absolute. But there were three problems with this: * It wouldn't return an error if the link's destination were a relative path that uses ../ to point outside of the sandbox. That's inconsistent. * Sometimes a symlink with an absolute path doesn't escape the sandbox. For example /sandbox/link -> /sandbox/target. But read_link wouldn't allow that. * More importantly, sometimes it's important to read a link that points outside of the sandbox. For example, a backup application could copy all of the files from the root directory of one computer to a subdirectory of another. Symlinks would be broken, but would work again after a restore operation. The application that performs the restore would need to be able to read link targets, even if they point outside of the root. Or, a jail file system could contain absolute symlinks that resolve correctly for a jailed process, but not for an unjailed one. But it would still sometimes be useful for an unjailed process to read the links. Fixes bytecodealliance#353
asomers
added a commit
to asomers/libunftp
that referenced
this pull request
May 14, 2024
asomers
added a commit
to asomers/cap-std
that referenced
this pull request
May 15, 2024
These allow creating and readling symlinks whose target may be an absolute path. There is no security risk because security is as always provided by the OS; the OS's openat implementation will refuse to follow a symlink whose target is an absolute path. Fixes bytecodealliance#354
asomers
added a commit
to asomers/cap-std
that referenced
this pull request
May 15, 2024
These allow creating and readling symlinks whose target may be an absolute path. There is no security risk because security is as always provided by the OS; the OS's openat implementation will refuse to follow a symlink whose target is an absolute path. Fixes bytecodealliance#354
|
Superseded by #356 |
sunfishcode
pushed a commit
that referenced
this pull request
May 16, 2024
These allow creating and readling symlinks whose target may be an absolute path. There is no security risk because security is as always provided by the OS; the OS's openat implementation will refuse to follow a symlink whose target is an absolute path. Fixes #354
asomers
added a commit
to asomers/libunftp
that referenced
this pull request
May 28, 2024
asomers
added a commit
to asomers/libunftp
that referenced
this pull request
May 28, 2024
asomers
added a commit
to asomers/libunftp
that referenced
this pull request
May 28, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously it would return an error if the link's destination were absolute. But there were three problems with this:
Fixes #353