Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

do not allow filesystem fallback in server download #15429

Merged
merged 1 commit into from Jul 29, 2022
Merged

do not allow filesystem fallback in server download #15429

merged 1 commit into from Jul 29, 2022

Conversation

harshavardhana
Copy link
Member

Description

do not allow filesystem fallback in server download

Motivation and Context

It is possible for anyone with admin access to relatively
to get any content of any random OS location by simply
providing the file with 'mc admin update alias/ /etc/passwd`.

A workaround is to disable 'admin:ServiceUpdate' action. Everyone
is advised to upgrade to this patch.

Thanks to @Alevsk for finding this bug.

How to test this PR?

Perform mc admin update alias/ /etc/passwd you will see '/etc/passwd' in the error response.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Optimization (provides speedup with no functional changes)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • Fixes a regression (If yes, please add commit-id or PR # here)
  • Documentation updated
  • Unit tests added/updated

@harshavardhana @minio-trusted
do not allow filesystem fallback in server download
7835819 
It is possible for anyone with admin access to relatively
to get any content of any random OS location by simply
providing the file with 'mc admin update alias/ /etc/passwd`.

Workaround is to disable 'admin:ServiceUpdate' action. Everyone
is advised to upgrade to this patch.

Thanks to @Alevsk for finding this bug.
@minio-trusted
Copy link
Contributor

Mint Automation

Test Result
mint-large-bucket.sh ✔️
mint-fs.sh ✔️
mint-gateway-s3.sh ✔️
mint-erasure.sh ✔️
mint-dist-erasure.sh ✔️
mint-compress-encrypt-dist-erasure.sh ✔️
mint-pools.sh ✔️
Deleting image on docker hub
Deleting image locally

@harshavardhana harshavardhana merged commit bc72e42 into minio:master Jul 29, 2022
@harshavardhana harshavardhana deleted the update-security branch July 29, 2022 00:44
@GoVulnBot GoVulnBot mentioned this pull request Aug 1, 2022
Closed
@jba jba mentioned this pull request Aug 1, 2022
Open
@bh4t bh4t added the bugfix label Jun 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Alevsk Alevsk Alevsk approved these changes

@kannappanr kannappanr Awaiting requested review from kannappanr

Assignees
No one assigned
Labels
bugfix priority: high
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@harshavardhana @minio-trusted @Alevsk @bh4t