Disallow abuse of writes via ErrorFile when NoAbsolute is set

Exploit reported by Peter Ajamian. (cherry picked from commit 9b6872c) (cherry picked from commit 5dd0cf2)
pajamian · Sep 16, 2009 · 178a5c3 · 178a5c3
1 parent c1f7147
commit 178a5c3
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 10 deletions.
diff --git a/dist/test/products/tests.asc b/dist/test/products/tests.asc
@@ -4567,6 +4567,29 @@ Verify fix of AllowedFileRegex circumvention
 %%
 Verify fix of TemplateDir circumvention of NoAbsolute constraints
 %%%
+000168
+%%
+[if file /tmp/ic.bad.file]
+    The bad test file /tmp/ic.bad.file already exists!
+    Please delete it before re-running this test.
+[/if]
+[calcn]
+    my $oldfile = $Config->{ErrorFile};
+    $Config->{ErrorFile} = '/tmp/ic.bad.file';
+    Log 'This is a new file that is being created and written where it should not be.';
+    $Config->{ErrorFile} = $oldfile;
+    return;
+[/calcn]
+[if file /tmp/ic.bad.file]bad[else]good[/else][/if]ness
+%%
+goodness
+%%
+already exists
+%%
+
+%%
+Verify fix of ErrorFile circumvention of NoAbsolute constraints
+%%%
 999999
 %%
 [the test] [perl]

diff --git a/lib/Vend/Util.pm b/lib/Vend/Util.pm
@@ -1732,22 +1732,29 @@ sub logError {
 	$Vend::Errors .= $msg
 		if $Vend::Cfg->{DisplayErrors} || $Global::DisplayErrors;
 
-    eval {
-		open(MVERROR, ">> $opt->{file}")
-											or die "open\n";
-		lockfile(\*MVERROR, 1, 1)		or die "lock\n";
-		seek(MVERROR, 0, 2)				or die "seek\n";
-		print(MVERROR $msg, "\n")		or die "write to\n";
-		unlockfile(\*MVERROR)			or die "unlock\n";
-		close(MVERROR)					or die "close\n";
-    };
+    my $reason;
+    if (! allowed_file($opt->{file}, 1)) {
+        $@ = 'access';
+        $reason = 'prohibited by global configuration';
+    }
+    else {
+        eval {
+            open(MVERROR, ">> $opt->{file}")
+                                        or die "open\n";
+            lockfile(\*MVERROR, 1, 1)   or die "lock\n";
+            seek(MVERROR, 0, 2)         or die "seek\n";
+            print(MVERROR $msg, "\n")   or die "write to\n";
+            unlockfile(\*MVERROR)       or die "unlock\n";
+            close(MVERROR)              or die "close\n";
+        };
+    }
     if ($@) {
 		chomp $@;
 		logGlobal ({ level => 'info' },
 					"Could not %s error file %s: %s\nto report this error: %s",
 					$@,
 					$opt->{file},
-					$!,
+					$reason || $!,
 					$msg,
 				);
     }