Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix RemoveRelativePathComponents (again) and fix mod security with paths starting with ".." #4919

Closed
wants to merge 2 commits into from
Closed

Fix RemoveRelativePathComponents (again) and fix mod security with paths starting with ".." #4919

wants to merge 2 commits into from

Conversation

ShadowNinja
Copy link
Member

Fixes #4909.

  • Fix RRPC: This used to return "/foo" for "../foo" when it should return the empty
    string (i.e., error removing all relative components). Also, "./foo" should be resolved to "foo".
  • Security: Trying to resolve a path with RRPC that can't be resolved without leaving leading parent components (e.g. "../worlds/foo" or "bar/../../worlds/foo") will fail. To work around this, we leave the relative components and simply remove the trailing components one at a time, and bail out when we find a parent component. This will still fail for paths like "worlds/foo/noexist/../auth.txt" (the path before the last parent component must not exist), but this is fine since you won't be able to open a file with a path like that anyways (the O.S. will determine that the path doesn't exist. Try cat /a/../etc/passwd).

@ShadowNinja ShadowNinja added @ Script API Blocker The issue needs to be addressed before the next release. Bugfix 🐛 PRs that fix a bug labels Dec 17, 2016
@ShadowNinja ShadowNinja changed the title Fix RemoveRelativePathComponents (again) and fix mod security with paths starting with "..". Fix RemoveRelativePathComponents (again) and fix mod security with paths starting with ".." Dec 17, 2016
sfan5
sfan5 previously requested changes Dec 17, 2016
View reviewed changes
Copy link
Member

@sfan5 sfan5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just this minor thing, 👍 otherwise

src/filesys.cpp
}
if (pos > 0) {
pos++;
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

brace removal possible

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code style nowhere mandates that braces should be removed. Both placing braces and not placing them is fine.

@paramat paramat added this to the 0.4.15 milestone Dec 17, 2016
@paramat
Copy link
Contributor

paramat commented Dec 17, 2016

Does this replace #4849 ? If there's a conflict which should be merged first?

@sfan5
Copy link
Member

sfan5 commented Dec 17, 2016

@paramat No, those two PRs fix two seperate issues with mod security.

@ShadowNinja
Fix RemoveRelatvePathComponents
b743de6 
This used to return "/foo" for "../foo" when it should return the enpty
string (i.e., error removing all relative components).
@ShadowNinja
Security: Fix resolving of some relative paths
aee24c8 
Trying to resolve a path with RemoveRelativePathComponents that can't
be resolved without leaving leading parent components (e.g. "../worlds/foo"
or "bar/../../worlds/foo") will fail.  To work around this, we leave
the relative components and simply remove the trailing components one
at a time, and bail out when we find a parent component.  This will
still fail for paths like "worlds/foo/noexist/../auth.txt" (the path
before the last parent component must not exist), but this is fine
since you won't be able to open a file with a path like that anyways
(the O.S. will determine that the path doesn't exist.
Try `cat /a/../etc/passwd`).
@ShadowNinja
Copy link
Member Author

@sfan5: Done.

@paramat
Copy link
Contributor

paramat commented Dec 20, 2016

Applying: Fix RemoveRelatvePathComponents
Applying: Security: Fix resolving of some relative paths
error: patch failed: src/script/cpp_api/s_security.cpp:340
error: src/script/cpp_api/s_security.cpp: patch does not apply
Patch failed at 0002 Security: Fix resolving of some relative paths

When attempting to merge after #4849, so i will merge #4849 only for now.

@paramat
Copy link
Contributor

paramat commented Dec 20, 2016

#4849 merged.

@Zeno-
Copy link
Contributor

Zeno- commented Dec 20, 2016

merged as

0f05021
and
f522e73

Both commits seemed large(ish) so I did not squash

@Zeno- Zeno- closed this Dec 20, 2016
@paramat paramat mentioned this pull request Dec 20, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@est31 est31 est31 left review comments

@sfan5 sfan5 sfan5 approved these changes

Assignees
No one assigned
Labels
Blocker The issue needs to be addressed before the next release. Bugfix 🐛 PRs that fix a bug High priority @ Script API >= Two approvals ✅ ✅
Projects
None yet
Milestone
0.4.15
Development

Successfully merging this pull request may close these issues.

Mod security: Still broken with different --world
5 participants
@ShadowNinja @paramat @sfan5 @Zeno- @est31